If you’ve followed the blog, you know I’ve spent a lot of time working with kiosk-style deployments on Windows devices. This month we’re going all-in on the technology that has become the proper way to lock down Windows 11 devices in public and shared environments.
We’re calling it Assigned Access April — an entire month focused on Windows 11 Assigned Access and how it’s fundamentally changing reliable kiosk experiences. First up, our go-to XML template for Assigned Access – check out the technical specs and details below!
Technical Specs
Tool Name: Assigned Access Base XML Template + Edge Kiosk Shortcut Script
Problem it Solves: The legacy Intune Kiosk templates were built for Windows 10 and never fully updated for Windows 11. Assigned Access with XML gives more flexible control for single-app and multi-app kiosk scenarios, replacing the old approach for long-term success.
Target Scenario: Intune admins managing public/shared devices (lobby kiosks, digital signage, general-use computers) that need reliable lockdown.
Tested in: Lab environments on workgroup machines (recommended starting point). Validated on Windows 11 24H2 and 25H2. Local admin access required for initial testing and PowerShell configuration.
Security Considerations: Uses local autologon to kioskuser0, security baselines/compliance policies can interfere with autologon — exemptions may be needed in production.
Maintenance Status: Actively used and maintained in my own testing; community feedback welcome for improvements.
Why Assigned Access Matters Now
As we moved from Windows 10 to Windows 11, the old Intune Kiosk templates stopped being the best option. Microsoft introduced Assigned Access — a more powerful replacement that uses XML configurations for both single-app and multi-app lockdown.
The XML format gives better control and visibility once you get used to it; for the kickoff of Assigned Access April, here’s the exact base template I use when testing or building new Assigned Access configurations.
→ Download the base Assigned Access Template here: AssignedAccessTemplate.xml
Important Notes and Considerations
- Start Local (Workgroup Machine and Local User Accounts Recommended)
If you’re new to Assigned Access, test first on a simple workgroup Windows 11 machine (not Entra ID or Autopilot). This removes extra complexity. Security baselines often break the autologon used in this template. - Windows Version Matters
Use Windows 11 24H2 (build 26100.8037) or 25H2 (build 26200.8037) or newer. These fixed several bugs in SingleAppMode and AllowedList mode. - Policy Propagation Takes Time
Reboot the device multiple times after applying and log in as LAPS user if you need to troubleshoot and review logs. kioskuser0 customizations don’t always apply immediately. - What This Template Does
It autologons a local user and launches Microsoft Edge in full Kiosk Mode (SingleAppMode). A secondary multi-app assigned access profile is configured for additional local or Entra users scoped in the config section of the XML. - Edge behavior in Multi-App Mode:
Edge requires SingleAppMode for native public browsing kiosk settings. For a true multi-app Microsoft Edge Kiosk Mode, use a custom shortcut and pin it via XML. Check out my custom script for this at the link below!
→ Edge Kiosk Mode Shortcut Script: EdgeKioskMode_Shortcut.ps1
Multi-App & Entra User Behavior Considerations
Microsoft refers to the multi-app Assigned Access configuration as a restricted Experience Profile (the AllAppList profile type in the XML).
When testing these restricted Experience Profiles, logging on with an Entra ID user greatly reduces the customizations the XML can apply compared to a local user account. You’ll often need extra troubleshooting to reach a 1:1 match with the behavior you see using a local account.
For the official details on account syntax, how Entra ID users and groups are handled, and the differences between local vs Entra accounts in these profiles, see the Microsoft Learn documentation:
Create an Assigned Access configuration file – Configs section
Applying the Assigned Access XML via PowerShell
Microsoft provides a straightforward PowerShell method using the MDM Bridge WMI Provider to apply the configuration (this is the same approach you’ll use locally or when scripting the deployment).
High-level steps (run as SYSTEM):
- Use PsExec (from Sysinternals) to launch an elevated PowerShell session as SYSTEM
- Load your XML into a variable, HTML-encode it, and apply it to the MDM_AssignedAccess class via Set-CimInstance.
For the full script example and details, see the official Microsoft Learn page: Configure a restricted user experience (multi-app kiosk) with Assigned Access – PowerShell tab
What’s Coming This Month
This is just the start. Over the next few weeks we’ll cover other single-app vs multi-app configurations and restrictions, real-world use cases, and other exciting and exclusive conversations; you won’t want to miss out!
Drop the template on a test machine on your bench and experiment. Once you work with Assigned Access, the old templates feel limited.
Let me know in the comments what kiosk or shared-device scenarios you’re running and what questions you have about Assigned Access — popular requests will shape the rest of the series.
Next post drops soon.
— Kevin
Kevin Malinoski 
Leave a comment