Check for Variable path in system. As Kiosk and user domain is same.
%SYSTEM32%\ variable is accessible from RUN ?
If not, need to make necessary changes.
Multi-app Kiosk's Allowed desktop App Triggering Restrictions Error Message Box
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 52%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
MrMJFisher
51
Reputation points
On our multi-app kiosk, the message box titled "Restrictions" with the following message appears each time the system attempts to start "%SYSTEM32%\CLEANMGR.EXE"; which is an allowed app.
"This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."
Following the documentation, I have reviewed the following event logs:
- Application
- Security
- System
- Microsoft-Windows-AppLocker/Packaged app-Execution
- Microsoft-Windows-AppLocker/Packaged app-Deployment
- Microsoft-Windows-AppLocker/MSI and Script
- Microsoft-Windows-AppLocker/EXE and DLL
- Microsoft-Windows-AssignedAccess/Operational
- Microsoft-Windows-AssignedAccess/Admin
Error ID 8004 is listed in the "EXE and DLL" log at 4/26/2021 4:13:25 PM by provider Microsoft-Windows-AppLocker with the following message:
%SYSTEM32%\CLEANMGR.EXE was prevented from running.
I have a Windows 10 1903 (18362.1256 build) Dell OptiPlex 7050 setup as a multi-app kiosk. I have allowed multiple applications using the "AllowedApps" list in the xml file of the assigned access configuration XML file. Here is a redacted copy of the assigned access configuration XML file. I've used both the App User Model ID (AUMID) and the full path of the executable. I've verified the xml using the XSD. I added the configuration XML to the Windows Configuration Designer project. From the Windows Configuration Designer I exported the provisioning package, copied to the kiosk, installed the provisioning package, and rebooted. I ran the following as administrator to confirm there were no errors:
Get-ProvisioningPackage -AllInstalledPackages -Verbose
...some output omitted...
Rank : 11
Altitude : 5011
Version : 3.14
OwnerType : ITAdmin
Notes :
LastInstallTime : 4/22/2021 4:12:04 PM
Result : 0__AssignedAccess_MultiAppAssignedAccessSettings.provxml
Category:UxLockdown
LastResult:Success
Message:Provisioning succeeded
NumberOfFailures:0 (0x0)
1__Policies_Start_HideLock.provxml
Category:Policies
LastResult:Success
Message:Policies applied successfully.
NumberOfFailures:0 (0x0)
2__Policies_Start_HideShutDown.provxml
Category:Policies
LastResult:Success
Message:Policies applied successfully.
NumberOfFailures:0 (0x0)
3__Policies_Start_HideSleep.provxml
Category:Policies
LastResult:Success
Message:Policies applied successfully.
NumberOfFailures:0 (0x0)
4__SMISettings_AutoLogon.provxml
Category:UxLockdown
LastResult:Success
Message:Provisioning succeeded
NumberOfFailures:0 (0x0)
5__SMISettings_BrandingNeutral.provxml
Category:UxLockdown
LastResult:Success
Message:Provisioning succeeded
NumberOfFailures:0 (0x0)
6__SMISettings_NoLockScreen.provxml
Category:UxLockdown
LastResult:Success
Message:Provisioning succeeded
NumberOfFailures:0 (0x0)
When booting the system signs in as the Active Directory user account, and the desired Excel workbook opens. I can further review the settings that the provisioning package created by looking at the registry and Group Polices. In the user's registry hive at "...\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", I can see that the "RestrictRun" DWORD is set to 1. The associated subkey of "RestrictRun" lists the various applications, each in their own string value, including the "CLEANMGR.EXE". Running the following as administrator to get a Group Policy result I can see the "CLEANMGR.EXE" is listed under User > Settings > Policies > Administrative Templates > System > Run only specified Windows applications.
Get-GPResultantSetOfPolicy -Computer [comptuername] -User [kiosk.username] -ReportType Html -Path c:\GPresult\20210426.html -Verbose
I am intentionally blocking most applications and need to continue to prevent the kiosk user from running most applications. I do want to allow the workstation to run any application for system health (anti-virus, updates, maintenance application, etc.). I do not want to disable applocker.
How do I stop the applocker from blocking the CLEANMGR.EXE application?
OR
How do I hide the message box displaying the error to the kiosk user?
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Windows for business | Windows Client for IT Pros | User experience | Other
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 32%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Sandy 0 Reputation points2025-08-04T14:06:46.86+00:00 We've been experiencing with Multi App Kiosks after logging in using domain co-managed devices. To address this problem, we added the CrossDeviceResume.exe file, and it seems to have resolved the issues. As a first step, please try adding the regedit entry. If everything functions properly, we can proceed to locate the exe file and include it in the XML file.
Registry Path for restrictedRun Policy:
If you need to view the Current User Registry, you can do so by logging in using the Kiosk user credentials. Once logged in, switch to the administrator login, and you should see the Kiosk user login registry loaded.
The restrictedRun policy is configured under the following registry path:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Steps to Allow CrossDeviceResume.exe:
Open the Registry Editor :
o Press Win + R, type regedit, and press Enter.
Navigate to the restrictedRun Registry Key :
o Go to the path:
o HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Enable the restrictedRun Policy :
o If the RestrictRun key does not exist, create it:
• Right-click on the Explorer key, select New > Key , and name it RestrictRun.
o In the right-hand pane, create a new DWORD (32-bit) Value:
• Name it RestrictRun and set its value to 1 to enable the policy.
Add Allowed Applications :
o Add the specific applications you want to allow:
• Right-click on the RestrictRun key, select New > String Value , and name it AssignedAccess_#.
(# = last number of existing keys+1)
• Double-click on the newly created string value and set its data to the name of the executable you want to allow, e.g., CrossDeviceResume.exe.
o For additional applications, create new string values (2, 3, etc.) and set their data to the respective executable names.
Example Configuration : After configuring the registry, it should look like this:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun]
"RestrictRun"=dword:00000001
" AssignedAccess_#"="CrossDeviceResume.exe"
Restart the Device :
o To apply the changes, restart the device or log out and log back in.
Notes:
Test Configuration: Always test the restrictedRun configuration in a controlled environment before applying it to production devices.
Administrator Rights: Ensure you have administrative privileges to modify registry settings.
Application Path: The restrictedRun policy requires only the executable name (e.g., CrossDeviceResume.exe), not the full file path.
Sign in to comment
Accepted answer
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 46%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Manasi Shirke (CONVERGYS CORPORATION) 81 Reputation points2021-10-08T18:17:05.617+00:00 -
MrMJFisher 51 Reputation points
2021-10-11T17:22:38.327+00:00 Great job @Manasi Shirke (CONVERGYS CORPORATION) ,
I am no longer getting the error for application cleanmgr.exe! :D
I Still am getting the error, but might be for applications that I have not whitelisted; or, maybe the applocker rules are conflating with my assigned access list. Will take me a few days to track down. I have other more pressing projects.
Thank you for keeping your head and staying calm while I was at my wits end.
Sign in to comment -
11 additional answers
Sort by: Most helpful
-
MrMJFisher 51 Reputation points
2021-05-17T19:28:24.523+00:00 I updated the assignedaccessconfiguration.xml to explicitly allow both x32 and x64 program file locations.
<App DesktopAppPath="C:\Program Files\CLEANMGR.EXE" /> <App DesktopAppPath="C:\Program Files (x86)\CLEANMGR.EXE" />This is still an issue.
Still blocking apps I have allowed.
How do I stop the applocker from blocking the CLEANMGR.EXE application?
or
How do I hide the message box displaying the error to the kiosk user? -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 71%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJT%3C/text%3E%3C/svg%3E)
Jason T. Banks 1 Reputation point2021-05-28T16:50:31.02+00:00 I had the same problem where once a week our multi-app Kiosk system displayed that an app was blocked by the administrator because of cleanmgr.exe.
The fix for me was to add Disk Cleanup as a Win32 app to our Intune Configuration profile. Not ideal that you want to publish this on a Kiosk, but given our Kiosk just monitors security cameras and doesn't have a keyboard or mouse connected, it wasn't a concern for us.
Name: Disk Cleanup
AUMID/PATH: C:\Windows\system32\cleanmgr.exe
DesktopApplicationId/AUMID for the Win32 app: {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cleanmgr.exe
Tile Size: Medium-
MrMJFisher 51 Reputation points
2021-06-08T16:13:15.613+00:00 Thank you @Jason T. Banks ,
I reviewed my xml file and I have added:
<App AppUserModelId="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cleanmgr.exe" />
<App DesktopAppPath="C:\Program Files\CLEANMGR.EXE" />
<App DesktopAppPath="C:\Program Files (x86)\CLEANMGR.EXE" />
I'm starting to wonder if Intune's configuration profile functions differently.
Sign in to comment -
-
MrMJFisher 51 Reputation points
2021-07-06T21:58:45.093+00:00 I am still having this issue and have opened a Microsoft Support ticket.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 55.00000000000001%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECD%3C/text%3E%3C/svg%3E)
Clint DeMill 1 Reputation point2021-08-27T18:18:19.413+00:00 Any luck? I'm having a similar issue and can't find any solutions.
Sign in to comment -
-
MrMJFisher 51 Reputation points
2021-08-27T21:39:50.827+00:00 I have had no luck and an open ticket with Microsoft for weeks now.
Since I installed the Windows Imaging and Configuration Designer from the Microsoft Store there may have been incompatibility issues between that designer and the Windows 10 2004 version running on the Kiosk.
Uninstalled existing version, restarted, installed from the ADK setupselected Imaging and configuration designer
> requires the configuration designer and User State Migration Tool (USMT)Then re-created the package from scratch
I used the same xml file for assigned access.
Logged the kiosk user out, logged in as administrator.
Removed all (the one) provisioning packages.
Get-ProvisioningPackage -AllInstalledPackages -Verbose
... shows packages ...
Uninstall-ProvisioningPackage -AllInstalledPackages -Verbose
Get-ProvisioningPackage -AllInstalledPackages -Verbose
Ensured no provisioning packages were installed.installed the new package
rebooted.Issue returned.
-
MrMJFisher 51 Reputation points
2021-10-11T17:28:06.297+00:00 See answer to Microsoft ticket by @Manasi Shirke (CONVERGYS CORPORATION)
Sign in to comment -