Share via

Unexpected RestrictRun Enforcement in Multi-App Kiosk Mode After Windows 11 September 2025 Updates

ServerWeirdo 15 Reputation points
2025-10-06T11:22:40.0833333+00:00

ENVIRONMENT:

Windows 11 versions affected:

24H2 with September 2025 cumulative updates

25H2 (enablement package over 24H2)

Intune Managed or local Kiosk / Assigned Access configuration

Deployment method: Assigned Access multi-app kiosk profile via XML

INITIAL CONFIGURATION:

We originally used the following entry in the kiosk XML:

<App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />

This allowed Edge to launch, but after applying the September 2025 updates, this configuration started triggering the following error:

"This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator"

(Screenshot of the error in Finnish: Error_FI.png)

This is caused by the automatic creation of the registry entries under:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

and

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun

(please see attached screenshots: Registry1.png, Registry2.png)

With these entries applications are restricted by AppLocker (normal behavior) but also legacy RestrictRun policy.

OBSERVED BEHAVIOR:

Switching to only:

<App AppUserModelId="Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App" />

avoids the RestrictRun issue; no Registry entries is created but then the Start menu icon for Edge does not appear.

According to Microsoft documentation, we need to use secondary tiles. To enable Start menu pinning via secondary tiles, we must include:

<App AppUserModelId="Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App" />

<App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />

<App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge_proxy.exe" />

However, including these three entries again triggers the RestrictRun enforcements.

WORKAROUND ATTEMPTED:

Manually setting the following registry value to “0” resolves the issue temporarily:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

"RestrictRun" = 0

This allows shortcuts to work again and bypasses the legacy restrictions. However, this workaround is considered fragile because:

The registry key is under the current user context

It must be applied periodically since after the kiosk profile is refreshed, registry value is changed to "1" again.

It is not officially documented or supported as a long-term solution

IMPACT:

Displays unwanted / not needed alert messages from legacy restriction policy.

Prevents launching Edge via Start menu shortcut (.lnk) unless msedge.exe is allowed.

Forces administrators to explicitly allow every executable used in the session.

Breaks compatibility with previously working kiosk setups.

Adds complexity and risk to kiosk deployments.

QUESTIONS:

Clarification: Is this RestrictRun behavior change intentional, or a regression introduced in the September 2025 update?

If intentional, is there a documented way to suppress or override RestrictRun behavior safely?

If unintended, can this be addressed in a future cumulative update or hotfix?

Any help or similar observations are highly appreciated.

Windows development | WinUI

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. GregaJan 10 Reputation points
    2025-10-09T11:56:20.5266667+00:00

    Hi, for me helped CrossDeviceResume.exe. First I have added user profile registry manual "Load Hive", then I used Xml to allow this exe I have added full path to file.

    https://learn.microsoft.com/en-us/answers/questions/374271/multi-app-kiosks-allowed-desktop-app-triggering-re?page=3#answers

    We've been experiencing with Multi App Kiosks after logging in using domain co-managed devices. To address this problem, we added the CrossDeviceResume.exe file, and it seems to have resolved the issues. As a first step, please try adding the regedit entry. If everything functions properly, we can proceed to locate the exe file and include it in the XML file.

    Registry Path for restrictedRun Policy:

    If you need to view the Current User Registry, you can do so by logging in using the Kiosk user credentials. Once logged in, switch to the administrator login, and you should see the Kiosk user login registry loaded.

    The restrictedRun policy is configured under the following registry path:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

    Steps to Allow CrossDeviceResume.exe:

    Open the Registry Editor :

    o Press Win + R, type regedit, and press Enter.

    Navigate to the restrictedRun Registry Key :

    o Go to the path:

    o HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

    Enable the restrictedRun Policy :

    o If the RestrictRun key does not exist, create it:

    • Right-click on the Explorer key, select New > Key , and name it RestrictRun.

    o In the right-hand pane, create a new DWORD (32-bit) Value:

    • Name it RestrictRun and set its value to 1 to enable the policy.

    Add Allowed Applications :

    o Add the specific applications you want to allow:

    • Right-click on the RestrictRun key, select New > String Value , and name it AssignedAccess_#.

    ‎ (# = last number of existing keys+1)

    • Double-click on the newly created string value and set its data to the name of the executable you want to allow, e.g., CrossDeviceResume.exe.

    o For additional applications, create new string values (2, 3, etc.) and set their data to the respective executable names.

    Example Configuration : After configuring the registry, it should look like this:

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun]

    "RestrictRun"=dword:00000001

    " AssignedAccess_#"="CrossDeviceResume.exe"

    Restart the Device :

    o To apply the changes, restart the device or log out and log back in.

    Notes:

    Test Configuration: Always test the restrictedRun configuration in a controlled environment before applying it to production devices.

    Administrator Rights: Ensure you have administrative privileges to modify registry settings.

    Application Path: The restrictedRun policy requires only the executable name (e.g., CrossDeviceResume.exe), not the full file path.

    2 people found this answer helpful.
  2. Darren Bradley 5 Reputation points
    2025-10-09T16:30:17.15+00:00

    Great thanks, I have done that and the error has now gone. Would the XML in the kiosk configuration just push back and over write the settings ?

    Would i add something like <App DesktopAppPath="C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\CrossDeviceResume.exe"/ to the XML file ?

    1 person found this answer helpful.
  3. Darren Bradley 5 Reputation points
    2025-10-08T11:43:55.2333333+00:00

    I have been getting the same error now despite numerous changes , Setting Restrict Run to 0 works for me but comes back, but this was a useful post thankyou.

    0 comments
  4. Anthony 0 Reputation points
    2025-10-30T17:45:49.16+00:00

    Following this thread. I was running into error so decided to use LTSC to see if it was any better and stock ISO from M365 worked great. Ran latest windows updates and then started receiving the following error

    User's image

    I was able to modify registry for restrictrun and don't receive message anymore but really don't feel my kiosk is ready for prime time with finicky things like this. Was really hoping LTSC would be the key but seems like something in updates broke kiosk. Not too sure why this isn't more of a thing when searching in google. Would imagine there are quite a few windows kiosk being deployed?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.