Setting up a “Single App” Kiosk in Windows 11 is easy via the Settings menu. But what if you need a library PC, a frontline worker station, or a lobby guest PC that needs access to three specific apps?
The GUI won’t help you there. You need the Assigned Access XML configuration.
This guide covers how to craft the XML file to lock down Windows 11 into a secure, multi-app environment.
The Challenge
Windows 11 removed the old “Start Layout” method used in Windows 10 for kiosks. It now relies heavily on the AssignedAccessConfiguration CSP (Configuration Service Provider), which is usually deployed via Intune or Provisioning Packages (.ppkg).
Structure of the XML
The XML file has two main parts:
1. Profiles: Defines what the kiosk looks like (Allowed Apps, Start Menu layout).
2. Configs: Defines who gets that profile (which User Account).
Sample XML Template
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
>
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-432193F29A6A}">
<AllAppsList>
<AllowedApps>
<!-- Allow Edge -->
<App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
<!-- Allow Calculator -->
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
</AllowedApps>
</AllAppsList>
<StartLayout>
<![CDATA[<LayoutModificationTemplate ... > ... </LayoutModificationTemplate>]]>
</StartLayout>
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>KioskUser</Account>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-432193F29A6A}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
Finding the AppUserModelId (AUMID)
The hardest part is getting the AppUserModelId for the apps you want to allow.
Open PowerShell on a machine with the apps installed and run:
Get-StartApps
This will list every app and its ID. Copy the ID string exactly into your XML <AllowedApps> section.
How to Apply It
Once you have your kiosk.xml file:
Method 1: WMI Bridge (PowerShell)
You can push this directly to a local machine using PowerShell and the MDM Bridge WMI provider.
$xml = Get-Content .\kiosk.xml
$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_AssignedAccess_Configuration"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = $xml
Set-CimInstance -CimInstance $obj
Method 2: Provisioning Package
1. Install Windows Configuration Designer (from the Microsoft Store).
2. Create a strict provisioning package.
3. Navigate to Runtime settings > AssignedAccess > MultiAppAssignedAccessSettings.
4. Paste your XML content there.
5. Export the .ppkg file and run it on the target machine.
Conclusion
Multi-App Kiosk mode in Windows 11 is powerful but strict. One syntax error in your XML will cause the configuration to fail silently. Always validate your XML against the XSD schema provided by Microsoft before deploying.