![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 8%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYH%3C/text%3E%3C/svg%3E)
28,655 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi @yuan huang,
Currectly Q&A only support English, and please do not post any personal information in the post, for security reasons.
For the issue you mentioned, this appears to be a known issue, and you can try this workaround and check if this work for you:
Multi-app Kiosk
Multi-app kiosks can be configured with local, AD or AAD user accounts, as described here.
The following steps target multi-app kiosks setup with local user accounts:
- In the kiosk device, login with the local admin user
- Take note of the kiosk user local account and replace below
- Open an elevated command prompt and type the following command:
wmic useraccount where name='<kioskUserLocalAccount>' get sid
- Take note of the
SIDin the output - In the elevated command prompt, type the following command:
Robocopy C:\Windows\System32\GroupPolicyUsers\S-1-5-32-545 C:\Windows\System32\GroupPolicyUsers\<SID_obtained_from_wmic_output> /mir
- Open File Explorer and access the following folder:
C:\Windows\System32\GroupPolicyUsers\<SID_obtained_from_wmic_output>\User\
- Rename the Registry.pol file in this folder to Registry_old.pol
- Copy the supplied Registry.pol file to this location
- Log in with the kiosk user account or simply restart the device for changes to take effect
For multi-app kiosks using AD or AAD accounts, the restrictive settings can be modified using domain GPO/Intune, targeting the following policy settings:
- GPS: Default risk level for file attachments (gpsearch.azurewebsites.net) - Set to Disable
- GPS: Inclusion list for low file types (gpsearch.azurewebsites.net) - Set to Disable
With this configuration, Edge will be able to download the most common file types. High risk file types as described at Information about the Attachment Manager in Microsoft Windows will still be blocked from being downloaded in the kiosk environment. To see the list, scroll down until you see
Optionally, if the customer would like to generate their own modified Registry.pol file instead, here at the instructions:
- Download the LGPO tool at Download Microsoft Security Compliance Toolkit 1.0 from Official Microsoft Download Center
- Extract the tool locally and place the regpol.txt file in the same folder. Feel free to review the settings that will be used to generate the Registry.pol file
- Open a command prompt and type:
LGPO.exe /r regpol.txt /w Registry.pol
- Then use the generated Registry.pol file with the steps above
The regpol.txt is also attached to this top issue but it should only be supplied (along with the previous steps) if the customer expresses interest in generating the modified Registry.pol file by themselves.
Best regards,
Xudong Peng
If the answer is the right solution, please click "Accept Answer" and kindly upvote. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.