how to fix Microsoft Intune Restricted Kiosk experiance

Daniel Cohen 5 Reputation points
2026-06-24T08:00:41.72+00:00

We encountered recently and issue with enrolling devices into a restricted kiosk experience. we've stetted the approved apps and star pins in the xml with the proper format but nothing seems to get this right. the devices don't get the right setup no matter what we do. we suspect it's related to AD group assignments but we are not sure. assumption cam from the fact that assigning a specific user in the XML config file does work but pointing it to the relevant access group dosent ...

Microsoft Security | Intune | Configuration
0 comments No comments

1 answer

Sort by: Most helpful
  1. AI answer

    2026-06-24T08:01:17.5733333+00:00

    Use the following checks to fix a restricted kiosk experience in Intune when an XML-based Assigned Access configuration works for a specific user but not for a Microsoft Entra (Azure AD) group.

    1. Verify the XML configuration for group-based Assigned Access
      • Open the Assigned Access XML in a browser or XML editor and confirm it is well-formed.
      • Ensure the profile that should apply to the group is correctly defined and that the account mapping section references that profile.
      • Confirm that the Start layout section (if present) is valid: each app tile has valid Size, Row, and Column attributes and only apps that are actually installed for the kiosk user are included.
    2. Confirm the correct identifier is used for the group
      For multi-app kiosk configurations based on Microsoft Entra groups:
      • In the XML, ensure the GUID of the Microsoft Entra group is used, not the GUID or UPN of an individual user.
      • This is a common cause of “user-based XML works, group-based XML fails” scenarios.
    3. Validate group membership and device compliance
      • In the Microsoft Entra admin portal, verify that the intended kiosk user is shown as a member of the targeted group.
      • In Intune, confirm that the device is marked as compliant; non-compliant devices may not receive or honor the kiosk configuration as expected.
    4. Check connectivity and group resolution on the device
      For group-based kiosk mode to work reliably:
      • Ensure the device has internet connectivity at sign-in so it can resolve Microsoft Entra group membership.
      • If offline operation is required, configure the MixedReality/AADGroupMembershipCacheValidityInDays policy (where applicable) so cached group membership can be used without immediate internet access.
    5. Validate that the provisioning or Intune policy applied successfully
      • If using a provisioning package (PPKG), verify that it applied successfully on the device. If it failed, rebuild the package and check ICD.log for errors during package creation.
      • If using Intune with the AssignedAccess CSP, confirm that the custom OMA-URI policy is targeted to the correct device group and that the setting path and value are correct:
        • Setting: ./Vendor/MSFT/AssignedAccess/Configuration
        • Value: the full Assigned Access XML content.
    6. Use logs to diagnose misapplied or partial kiosk configuration
      On Windows devices:
      • Enable and review the AssignedAccess Operational log under:
        Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational
        This log provides details about configuration and runtime issues (for example, profile mapping failures or XML parsing problems).
      • If apps in the AllowedList are blocked or Start shows unexpected apps, also review:
        • AppLocker logs
        • AppxDeployment logs under Applications and Services Logs\Microsoft\Windows.
    7. Re-check account-to-profile mapping
      • Ensure the account (user or group) is mapped to the correct profile in the XML. If the mapping is missing or incorrect, the device may fall back to a global or default configuration, resulting in an incorrect kiosk experience.
    8. Re-deploy after corrections
      • After correcting XML, group GUID, or targeting issues, re-create and re-apply the provisioning package or re-deploy the Intune policy.
      • Sign out and sign back in with the kiosk user to confirm the updated configuration is applied.

    These steps specifically address scenarios where user-based Assigned Access works but group-based configurations do not, by focusing on group GUID usage, membership validation, XML correctness, and AssignedAccess CSP deployment.


    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.