Setting up and managing device configurations using Intune
Use the following checks to fix a restricted kiosk experience in Intune when an XML-based Assigned Access configuration works for a specific user but not for a Microsoft Entra (Azure AD) group.
- Verify the XML configuration for group-based Assigned Access
- Open the Assigned Access XML in a browser or XML editor and confirm it is well-formed.
- Ensure the profile that should apply to the group is correctly defined and that the account mapping section references that profile.
- Confirm that the Start layout section (if present) is valid: each app tile has valid
Size,Row, andColumnattributes and only apps that are actually installed for the kiosk user are included.
- Confirm the correct identifier is used for the group
For multi-app kiosk configurations based on Microsoft Entra groups:- In the XML, ensure the GUID of the Microsoft Entra group is used, not the GUID or UPN of an individual user.
- This is a common cause of “user-based XML works, group-based XML fails” scenarios.
- Validate group membership and device compliance
- In the Microsoft Entra admin portal, verify that the intended kiosk user is shown as a member of the targeted group.
- In Intune, confirm that the device is marked as compliant; non-compliant devices may not receive or honor the kiosk configuration as expected.
- Check connectivity and group resolution on the device
For group-based kiosk mode to work reliably:- Ensure the device has internet connectivity at sign-in so it can resolve Microsoft Entra group membership.
- If offline operation is required, configure the
MixedReality/AADGroupMembershipCacheValidityInDayspolicy (where applicable) so cached group membership can be used without immediate internet access.
- Validate that the provisioning or Intune policy applied successfully
- If using a provisioning package (PPKG), verify that it applied successfully on the device. If it failed, rebuild the package and check
ICD.logfor errors during package creation. - If using Intune with the AssignedAccess CSP, confirm that the custom OMA-URI policy is targeted to the correct device group and that the setting path and value are correct:
- Setting:
./Vendor/MSFT/AssignedAccess/Configuration - Value: the full Assigned Access XML content.
- Setting:
- If using a provisioning package (PPKG), verify that it applied successfully on the device. If it failed, rebuild the package and check
- Use logs to diagnose misapplied or partial kiosk configuration
On Windows devices:- Enable and review the AssignedAccess Operational log under:
Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational
This log provides details about configuration and runtime issues (for example, profile mapping failures or XML parsing problems). - If apps in the
AllowedListare blocked or Start shows unexpected apps, also review:- AppLocker logs
- AppxDeployment logs under
Applications and Services Logs\Microsoft\Windows.
- Enable and review the AssignedAccess Operational log under:
- Re-check account-to-profile mapping
- Ensure the account (user or group) is mapped to the correct profile in the XML. If the mapping is missing or incorrect, the device may fall back to a global or default configuration, resulting in an incorrect kiosk experience.
- Re-deploy after corrections
- After correcting XML, group GUID, or targeting issues, re-create and re-apply the provisioning package or re-deploy the Intune policy.
- Sign out and sign back in with the kiosk user to confirm the updated configuration is applied.
These steps specifically address scenarios where user-based Assigned Access works but group-based configurations do not, by focusing on group GUID usage, membership validation, XML correctness, and AssignedAccess CSP deployment.
References:
- Configure a restricted user experience (multi-app kiosk) with Assigned Access
- Configure a single-app kiosk with Assigned Access
- Set up HoloLens as a kiosk
- Troubleshoot kiosk mode issues
- Frontline worker for Android devices in Microsoft Intune
- Apple device restriction settings in Microsoft Intune (ios-ipados)