Following the October 2025 Windows quality update, I began seeing unexpected behavior in several Intune-managed kiosk deployments, where this restrictions popup kept appearing:
Logging into the device with an admin account did not present the same popup, and there was nothing in the AppLocker event logs that highlighted the issue. I added CMD.exe to the HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun registry key, and also placed it in the HKLM\Software\Microsoft\Windows\CurrentVersion\Run key to allow me to access the system while under the Kiosk profile, but still could not find event logs or any hints as to what would be causing this issue.
I removed all apps that were not needed, including the Xbox stuff, Phone Link, Quick Assist, etc., but the issue persisted. Following a few articles I found online, I also added CleanMgr.exe and CrossDevice.exe to the RestrictRun policy.
Still had the popup…
At the time of writing, Microsoft has not published documentation, guidance, or a formal remediation addressing this behavioral change, but after speaking with support about the issue, a remediation does exist. Two executables, PhoneExperienceHost.exe and CrossDeviceResume.exe, need to be allowed to run while the Kiosk profile is loaded. Doing this does not alter the expected behaviour of the kiosks, but does prevent the popup. Why these are included in Enterprise builds, I have no idea, but I do like them on my personal laptop!
Operationally, remediating this is problematic at scale:
- Devices are provisioned using Autopilot’s Self-Deploying Mode
- The kiosk account is created at the end of the sequence
- The kiosk user is not an admin
- A script applies before the account gets created, so do apps
- Application control is enforced through legacy Explorer policies (If you’re using Assigned Access XMLs for configuration, this issue doesn’t appear and you likely haven’t read this far down the post)
- RestrictRun is user-scoped, requiring targeting the KioskUser0 registry hive, which the kiosk account does not have rights to modify
This combination creates a timing and privilege boundary problem. To stay within a supported configuration, and ensure the policy applies successfully, I opted for a detection and remediation script. This will validate the required registry strings in the user hive, and remediate them, all while using the SYSTEM context. My script will ensure the kiosk account exists before running, its registry hive is loaded, eliminating dependency on Autopilot timing.
While modern Windows kiosk designs should rely primarily on Assigned Access (XML-based application control), environments still using RestrictRun must now explicitly define these executables following the October 2025 update.
Until Microsoft publishes official guidance or clarifies the behavioral change, Proactive Remediations provide a clean, enterprise-ready mitigation strategy.
Here’s the Detection and Remediation scripts:
Detection
# Detection: Validate RestrictRun entries exist for the currently signed-in user
# Returns:
# 0 = Compliant
# 1 = Not compliant / cannot evaluate
$ErrorActionPreference = 'Stop'
function Get-InteractiveUserSid {
# Prefer explorer.exe owner (most reliable for kiosk/console)
$explorer = Get-Process -Name explorer -ErrorAction SilentlyContinue | Select-Object -First 1
if ($explorer) {
$owner = (Get-CimInstance Win32_Process -Filter "ProcessId=$($explorer.Id)").GetOwner()
if ($owner.ReturnValue -eq 0 -and $owner.User) {
$userName = $owner.User
$user = Get-CimInstance Win32_UserAccount -Filter "Name='$userName' AND LocalAccount=True" -ErrorAction SilentlyContinue
if ($user -and $user.SID) { return $user.SID }
}
}
# Fallback: Win32_ComputerSystem.UserName
$loggedOn = (Get-CimInstance Win32_ComputerSystem).UserName
if ($loggedOn) {
$userName = $loggedOn.Split('\')[-1]
$user = Get-CimInstance Win32_UserAccount -Filter "Name='$userName' AND LocalAccount=True" -ErrorAction SilentlyContinue
if ($user -and $user.SID) { return $user.SID }
}
return $null
}
$sid = Get-InteractiveUserSid
if (-not $sid) {
Write-Output "No interactive user SID could be determined."
exit 1
}
$path = "Registry::HKEY_USERS\$sid\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun"
if (-not (Test-Path $path)) {
Write-Output "RestrictRun key missing for SID: $sid"
exit 1
}
try {
$v5 = (Get-ItemProperty -Path $path -Name 'AssignedAccess_5' -ErrorAction Stop).AssignedAccess_5
$v6 = (Get-ItemProperty -Path $path -Name 'AssignedAccess_6' -ErrorAction Stop).AssignedAccess_6
} catch {
Write-Output "One or both values missing for SID: $sid"
exit 1
}
if ($v5 -ne 'PhoneExperienceHost.exe') {
Write-Output "AssignedAccess_5 mismatch: '$v5'"
exit 1
}
if ($v6 -ne 'CrossDeviceResume.exe') {
Write-Output "AssignedAccess_6 mismatch: '$v6'"
exit 1
}
Write-Output "Compliant for SID: $sid"
exit 0
Remediation
# Remediation: Create/Update RestrictRun entries for the currently signed-in user
# Does NOT modify RestrictRun DWORD (assumed already enabled)
$ErrorActionPreference = 'Stop'
function Get-InteractiveUserSid {
$explorer = Get-Process -Name explorer -ErrorAction SilentlyContinue | Select-Object -First 1
if ($explorer) {
$owner = (Get-CimInstance Win32_Process -Filter "ProcessId=$($explorer.Id)").GetOwner()
if ($owner.ReturnValue -eq 0 -and $owner.User) {
$userName = $owner.User
$user = Get-CimInstance Win32_UserAccount -Filter "Name='$userName' AND LocalAccount=True" -ErrorAction SilentlyContinue
if ($user -and $user.SID) { return $user.SID }
}
}
$loggedOn = (Get-CimInstance Win32_ComputerSystem).UserName
if ($loggedOn) {
$userName = $loggedOn.Split('\')[-1]
$user = Get-CimInstance Win32_UserAccount -Filter "Name='$userName' AND LocalAccount=True" -ErrorAction SilentlyContinue
if ($user -and $user.SID) { return $user.SID }
}
return $null
}
$sid = Get-InteractiveUserSid
if (-not $sid) {
Write-Output "No interactive user SID could be determined."
exit 1
}
$path = "Registry::HKEY_USERS\$sid\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun"
# Ensure key exists (but do not change RestrictRun enablement)
if (-not (Test-Path $path)) {
Write-Output "RestrictRun key missing for SID: $sid (creating key only)."
New-Item -Path $path -Force | Out-Null
}
New-ItemProperty -Path $path -Name 'AssignedAccess_5' -PropertyType String -Value 'PhoneExperienceHost.exe' -Force | Out-Null
New-ItemProperty -Path $path -Name 'AssignedAccess_6' -PropertyType String -Value 'CrossDeviceResume.exe' -Force | Out-Null
Write-Output "Remediated RestrictRun values for SID: $sid"
exit 0
Hope this helps!
É
