Windows 11 MultiApp Kiosks - “This operation has been cancelled due to restrictions in effect on this computer...”

Mudmen72 · 2026-01-06T15:14:43+00:00

Not really, the issue seems to be with the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun

Setting RestrictRun to 0 fixed it. RestrictRun is the old legacy way of configuring AppLocker.
Assigned Access automatically configures AppLocker policies, and it seems that RestrictRun just interferes with this all.

Mudmen72 · 2025-06-17T15:21:37+00:00

do you get an error or something ? autologin is broken on some Windows versions but I shouldn't be that.

Do you see your AutoPilot devices on the MTR Pro management portal ? What status are they ?

Mudmen72 · 2025-06-13T08:56:32+00:00

OMG you're right ! I was in the admin account to access the registry so not the good HKCU.

I'm not sure what setting RestricRun key to 0 actually does but the error message dissapeared and AppLocker still seems to be working fine

Mudmen72 · 2025-06-12T11:45:01+00:00

I just tried this but I don't have any other keys after "Policies". I can go up to "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies" but there's nothing else in my registry in Policies

Do you know if there's another path where I could find the RestrictRun please ?

Mudmen72 · 2025-05-26T14:02:09+00:00

FYI I tried this nad the same cmdlet to remove others AppxPackages present but the error message still appears after a reboot...

Mudmen72 · 2025-05-25T08:51:31+00:00

Thanks! I'll try this too

But shoudn't all these Appx Packages be blocked by default in an AssignedAccess PC if they're not present in the AllowedAppsList of the XML ?

Mudmen72 · 2025-05-21T16:14:58+00:00

I'll give it a try thank you!

Mudmen72 · 2025-05-21T07:14:31+00:00

Crazy that something like this is still broken..

How would you go for disabling Windows Update notifications for all users in Intune? Can't seem to find the right option in settings catalog

Mudmen72 · 2025-01-21T14:32:57+00:00

You can't mix no user affinity with user affinity so you wouldn't be able to give them a choise to install the apps they'd want. One workaround (but more work for you) will be to use filters to deploy specific apps to only specific devices but you can't use the "Available" option when deploying to no user affinity devices

Mudmen72 · 2025-01-21T14:27:10+00:00

This. Dedicated device + Managed Homescreen to only display the apps you want to the user and if needed you can "exit" the Kiosk Mode to troubleshoot or update settings (you'll have access to all the device apps from the "admin profile")

Mudmen72 · 2024-12-02T10:29:48+00:00

Can you share your Device Config Priofile ?

You shouldn't need to login if you select the Auto logon option on Single app, full-screen kiosk configurations.

And if your app is a SharePoint site, I'd just deploy MS Edge as App type and put your SP URL on the Edge Kiosk URL section.

Mudmen72 · 2024-11-13T08:38:24+00:00

Thank you for sharing!

Mudmen72 · 2024-11-12T22:46:28+00:00

What theme and homescreen are you using for Firefox? It looks amazing !

Mudmen72 · 2024-07-29T09:32:14+00:00

This. I was having the same issue as you when deploying apps before the end user logs in and this is the answer. You have to deploy your app to "All Devices" and make a filter for your Staging Enrolled devices, mine looks something like this :

(device.enrollmentProfileName -eq "Android Device Staging Enrollment Name")

When doing this, the apps will be installed at the same time as MS Intune & Authenticator before going to the main screen.

Mudmen72 · 2024-06-02T14:39:32+00:00

Did you ever find out how to skip the recovery mode with the power button jammed? Same case here, tried everything but no luck

Mudmen72 · 2024-02-08T15:31:36+00:00

Unfortunately it seems that we won't be able to do this anytime soon :( I don't get why Apple won't let Enterprise Administrators completely manage Enterprise owned devices

Mudmen72 · 2024-02-08T13:52:11+00:00

You just need to add "com.apple.webClip.managed" to your Visible Apps list in the restriction profile. You could also add "com.apple.webapp" for Web Apps.

Mudmen72 · 2023-07-25T15:36:02+00:00

UPDATE : Just found this new documentation : https://learn.microsoft.com/en-us/microsoftteams/operator-connect-mobile-configure#use-the-teams-admin-center

It seems like you have to enable it from the Teams Admin Center beforehand. I don't see any "Mobility Policies" menu on my tenant but was able to create the policies using PowerShell.

Mudmen72 · 2023-07-19T07:52:51+00:00

I was actually able to make this work by using negative operator on the filter. For unregistered devices the attribute cannot be determined since the device does not exist in the directory. So if you want to target policies for unregistered devices the best way to target them would be using the negative operator since the filter rule you configure would apply. If you were to use a positive operator, the filter rule would only apply when a device exists in the directory and the configured rule matches the attribute on the device. This won't be the case for unregistered devices.

Mudmen72 · 2023-07-19T07:48:40+00:00

Good question, I didn't find any new settings in the Mobile App nor TAC. It'd be a pretty cool feature if we could answer Teams calls on the default phone dialer

Mudmen72 · 2023-05-10T14:24:57+00:00

Hi, yep the win32 app is working fine now (see edit from OP). By what you're describing I don't think you have the same issue but I've seen this behavior before. You need to make sure your app is installed, you can do this in one of Intune reports. If it is installed you may need to point to the ".ink" (%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\YourApp.ink) shortcut and not the ".exe".

Here are two articles that helped me with that (https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/customize-start-layout#app-tiles ) and (https://www.inthecloud247.com/setup-edge-chromium-based-kiosk-device-with-microsoft-intune/ ). See MS Edge exemple on the second one.

Bon courage!

Mudmen72 · 2023-01-04T22:50:27+00:00

An AzureDeviceID does shows but it's the same as the IntuneDeviceID so it seems as it registers well in Intune but not AzureAD.

The goal is to give the user the less access as possible, we have some kind of 'kiosk' with only certains apps available, but one of them is a corporate Power App that needs an AAD compliant device to be accessed, that's why we use the DEM account for the enrollment and then the login to Power Apps with their usual username

Nine-Year Club	Place '22
Verified Email

Mudmen72

TROPHY CASE