Intune Stuff | The Community place for Microsoft Intune, Intune Suite, Autopilot, macOS Management, Copilot for Security.

How to setup Windows 11 kiosk Multi-App mode with Edge and the Windows App – The XML Struggle

by | Sep 9, 2025 | Device Management, Edge, Entra ID, Featured Post, Intune, kiosk, Manuals, MDM, Microsoft, Most Popular, News, Top Stories, Windows 11, Windows 365 | 6 comments

Hi Community,

Some time ago a customer asked me if I could help them with the setup of a Windows 11 multi-app kiosk with Edge and the Windows app. I told them straight away that thas is something I really had very little to no experience with. I knew it was going to be a hassle to setup but I took up the challenge. First I did some reading, Microsoft docs, several blog posts and what I found out was that I could not find any configuration with the Windows App. I found this somewhat strange, but a few Intune configs later it made sense to me. This is not straightforward and i didn’t got it working untill….

After i got this working I thought by myself, this is worth sharing. In this blog i will show you the stuff I ran into and ofcourse how i got this working. So let’s dive in.

I have made all the working XML files available for you to download. Look for them in the blog.

PS: Here are the docs from Microsoft:

Kiosk settings for Windows and Holographic devices in Microsoft Intune
Configure your Windows 10/11 and Windows Holographic for Business devices as single-app and multi-app kiosks, customize the start menu, add apps, show the task bar, and configure a web browser in Microsoft Intune.

 

In this doc you are already presented with the fact that the built-in kiosk profile type only works in Windows 10 – Come on Microsoft…. This is not stated when you try to create the policy in Intune!!

 

kiosk

So by any means don’t use this:

 

This will NOT work in Windows 11.

 

Kiosk

 

Ok other doc:

 

Create an Assigned Access configuration file
Learn how to create an XML file to configure Assigned Access.

 

Now let’s do the config.

 

I will not go into detail about the different building blocks of the XML file, this blog is about the working feature. If you want more info on this check out the Microsoft docs mentioned in this blog or the fantastic blog of my friend Jon Towles.

 

Prerequisites

You don’t need many prerequisites to get this working:

  • A Windows 11 machine
  • An Intune Device license
  • An Intune licensed user
  • The Windows App deployed with Intune to the kiosk devices from the store
  • A lot of patience 😉

 

Create the Kiosk mode with XML file

 

Get everything in place for Edge

First i started out with the kiosk example XML file from Microsoft and edited this file, since I want a restricted user experience I took this to start from. I will use VSCode for editing. Make a copy of the file on your PC, we will come back to this file later on when we configure the XML for the Windows App.

Create an Assigned Access configuration file
Learn how to create an XML file to configure Assigned Access.

 

 

As you can see there is a lot more then I needed, I only need Edge and the Windows App, the Windows app was not there so I deleted all the lines i did not need.

 

 

As you can see I only kept the lines that are needed for Edge:

<App DesktopAppPath=“%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe” />

and

{“desktopAppLink”: “%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk”}

 

I also don’t want the autologon account stated as “MS Learn Example” so I also changed that. For testing I used a local account named “Kiosk” but in the end I want to log on with an Entra account.

 <AutoLogonAccount rs5:DisplayName=“Kiosk” />

 

For more information regarding the accounts you can use this Microsoft doc:

Assigned Access Examples
Practical examples of XML files to configure Assigned Access.

Save your XML file somewhere on your PC.

 

 

Get everything in place for the Windows App

 

Now that we have everything there for Edge, it’s time to focus on the Windows App.  As you might have noticed there are 2 different types of apps you can allow, regular desktop apps and store apps. For the Windows app (a store app) we need to find out the AUMID of the app. To do this open an elevated powershell windows and type in the following command:

get-startapps

Now you will get a list of apps, in this list search for the Windows app and copy the AUMID.

For this to work you need to have the Windows App installed, run this command on a device with the Windows App installed.

To add the Windows App to our XML we need to go back to the original file wher you have a copy off on your PC. We need to add some lines from that file to our file and edit these lines to reflect the Windows App.

The lines we need are:

<App AppUserModelId=“Microsoft.WindowsCalculator_8wekyb3d8bbwe!App” />

and

{“packagedAppId”:”Microsoft.WindowsCalculator_8wekyb3d8bbwe!App”},
We need to edit them so that they reflect the AUMID of the windows App. Your result would be:
<AppAppUserModelId=“MicrosoftCorporationII.Windows365_8wekyb3d8bbwe!Windows365”/>
and
{“packagedAppId”:”MicrosoftCorporationII.Windows365_8wekyb3d8bbwe!Windows365″},
So that it looks like this:

So far so good, and easy right? Well not quite. You would assume that we have everything in place, that was also my assumption, however… 1st I will show you how to configure this in Intune followed by a video on the user experience, you will notice that it will NOT work….just yet. Now save this complete XML file, we will need it to configure the intune policy.

 

 

Multi-App Kiosk mode config in Intune – Not what we want…

 

To configure the Intune policy follow these steps. Go to the Intune portal – Devices – Windows – Configuration – Create – New policy – Platform: Windows 10 and later – Profile type: Templates – Custom

Name your policy e.g. Multi-App Kiosk, click next


On the Configuration settings pane click Add – Name: Multi-App Kiosk – Description: Multi-App Kiosk With Edge and Windows App – OMA-URI: ./Vendor/MSFT/AssignedAccess/Configuration – Data type: String (XML file) – Browse for your XML file.

When everything is in place, click save and click next. Your policy will look like this:

Now assign your policy to a device group

Click next and add Applicability rules if you want, on the Review + create pane click create.

Now we have everythng in place to begin to enroll our kiosk device in Intune. Let’s watch the video of the user experience.

 

 

Kiosk User Experience – Not what we want!

In this video we will start from scratch with a clean VM.

 

 

Multi-App Kiosk mode config in Intune – What we really want…

 

I have tried the previous config a number of times but always with the same result, the Windows app wont open with my kiosk user. According to some blogs that i have found people where talking about depencies for the Windows app, at first this made sense so I went out looking what dependencies the Windows app specifically needed. ChatGPT listed me a lot of dependencies for the Windows app so I added them one by one each time testing kiosk mode when I added a dependency. My XML file looked like this at the point where I gave up looking for dependencies. As you can see I have a lot of allowed apps now.

 

 

Deploying this did not work, so back to the drawing board. On the blog from Jon you will notice that he is also working with the Shell Launcher. You can find the info here. Also check out the blog from Dominiek on shell launcher for more info here.

Shell Launcher basically blocks the device in one particular app, the Windows App in this case. Ok not want I want in this specific use case but still worth the test. So I configured this in Intune scoped the policy on the same device that was not working and guess what, this worked instantly, so now I was sure that I had the correct AUMID for the Windows App, that the app was installed correctly and also machine wide. The search for the dependencies was a pure waste of time.

 

You can download the Shell Launcher XML file from here. This file looks like this

 

 

By now i needed another approach obviously, so let’s check the app itself. I have taken the Windows App from the store which would be sufficient (and it also is) but I tried to google “Download the Windows app” and i got an executable to install, when clicking the executable the store opens and the Windows app with it’s depencies got installed. This made me thinking, maybe the Windows App also has an alternative installation path, and yes it does. It gets installed in %ProgramFiles%\WindowsApps\MicrosoftCorporationII.Windows365_2.0.633.0_x64__8wekyb3d8bbwe.

So if i maybe replace the AUMID with this woudl it work? So I began the config of the XML file again to end up with this:

 

After wiping my device and enrolling it again, again a no go unfortunately, the Windows App wont open. Again back to the XML drawing board. The next I did was to add the AUMID to the allowed apps list leaving the previous entry/ to get to this:

 

 

Now I could open the app but not make a connection to my Windows 365 machine yet. I checked the task manager for depedencies for the Windows App and added these like in the screenshot below.

 

I deployed this XML file in an Intune policy, wiped my test devices and started from scratch AGAIN, and guess what this is working!! So no dependencies, no nothing just 2 entries for the Windows App in the XML. One for the AUMID and one for the desktop path.

 

You can download the working XML file here. Make sure you enter your own account is the XML file before uploading it in Intune

 

 

Kiosk User Experience – What we really want…

In this video we will start from scratch with a clean VM.

 

So now we have a working config! Yeah, happy days!

 

Multi-App Kiosk mode config in Intune – Some extra stuff

Windows App Version

 

I also noticed that the version of my Windows App is higher then what is stated in my XML file, I have version 2.0.660.0 installed and in my XML file I have the path that points to 2.0.633.0 and it still works.

 

 

The XML file in Intune:

 

So that is nice, i’m not really sure why still is still working, however i assume now that updates for the Windows App can be applied without breaking the config.

 

Extra Intune policies

If you want to make someone login with a local account (not recommended), make sure you deploy this policy via Intune:

 

 

When you use Shell Launcher make sure you have also this policy in place:

 

 

 

This covers this blog on Multi-App kiosk with Edge and the Windows App. Like i said i still need to lock down Edge with some Intune policies but now we have a working kiosk configuration.

And as always if you feel there is something in error or you want to add some stuff from your own experience don’t hesitate to contact me!

SHARE THIS:

6 Comments

  1. Matthias
    Matthias on September 19, 2025 at 14:36

    I tried your configuration, but unfortunately it doesn’t work either. As soon as Edge is configured, I can’t start Teams or other UWP apps.
    It seems to be a really nasty Windows bug. I have reported it to MS and we are investigating it with the Windows Performance Team.

    Reply
  2. Matthias Günther
    Matthias Günther on September 20, 2025 at 18:19

    Hi,
    The problem seems to occur in 24H2 when you enter the Edge browser path in the XML. As soon as this is written in, the strange behaviour with the UWP apps occurs.
    Delete Edge from your configuration and then it will work. I have reported the problem to Microsoft and am waiting for a response from the Windows Performance Team.
    Until this is resolved, I am using a different UWP browser.

    Reply
    • Leandro Ferreira
      Leandro Ferreira on December 5, 2025 at 11:33

      Hello Matthias,

      I am in the same situation, trying to get it resolved with Microsoft.

      Could you please share which UWP browser you are using as a work-around?

      Thank you

      Reply
    • Anthony Papaleontiou
      Anthony Papaleontiou on February 10, 2026 at 16:03

      Hi Matthias, did you ever find a solution to this? I am having exactly the same problem. We absolutely need Windows App to work because Remote Desktop App will be end of life next month. But in our multi app kiosk config we also want to provide access to two different Citrix StoreFronts via secondary pins, hence Edge needs to work. If you have any solution for this it would be greatly appreciated! Thanks, Anthony

      Reply
  3. Eric
    Eric on September 20, 2025 at 19:40

    Hi, I’ve noticed an issue when deploying Zoom Rooms using Assigned Access. Kiosk mode launches correctly, and auto logon works as expected. However, immediately after login, an error message appears: 0x80004005. After about 30 seconds, the system recovers and returns to the Zoom Rooms interface as normal.

    Reply
  4. Darren
    Darren on October 16, 2025 at 17:20

    Thank you for the detailed post. I have gotten everything working as you instructed but I would like to auto launch edge on startup instead of changing the shell. I have not found any other info as how I would do this,

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Buy me a Duvel 😉

Discover more from IntuneStuff

Subscribe now to keep reading and get access to the full archive.

Continue reading