How can we enable full Windows desktop access from within a custom shell on Windows 11 IoT Enterprise?

Question

How can we enable full Windows desktop access from within a custom shell on Windows 11 IoT Enterprise?

Shiv 20

We’re using Shell Launcher to replace the default shell with our custom application. The custom shell launches correctly, and everything works as expected.

However, our application includes a “Run Windows” option that should allow users to temporarily switch back to the full Windows desktop environment (with taskbar, start menu, and desktop icons). This no longer works, launching explorer.exe only opens a file explorer window, not the full desktop shell.

Is there a recommended or supported way to re-enable full Windows desktop access from within a custom shell on Windows 11 IoT Enterprise?

Answer accepted by question author

1 additional answer

Your answer

Answer 1

Domic Vo 7,830 Independent Advisor

Dear Shiv,

Launching explorer.exe from within a custom shell no longer restores the full desktop experience (taskbar, Start menu, desktop icons). Instead, it opens a standalone File Explorer window. This behavior is expected in Shell Launcher environments, as the system suppresses the standard shell components unless explicitly configured otherwise.

Here are Recommended approach:

To temporarily switch back to the full Windows shell experience, you’ll need to programmatically change the shell back to explorer.exe and restart the user session. Here’s how you can approach it:

Use Shell Launcher APIs or PowerShell to switch shell You can use Set-AssignedAccess or Shell Launcher v2 configuration to reassign the shell to explorer.exe.
Trigger a logoff/logon cycle After changing the shell, the user session must be restarted for the change to take effect. This can be done via script or user prompt.
Design your “Run Windows” option to automate this flow
- Behind the scenes, your app can: Update the shell assignment to explorer.exe Prompt the user to save work Log off the session Upon next login, the full Windows shell will be active

Simply launching explorer.exe from within a custom shell won’t restore the full desktop environment, as the system doesn’t treat it as the shell unless it’s assigned at session start.

If this guidance proves helpful, feel free to click “Accept Answer” so we know we’re heading in the right direction 😊. And of course, I’m here if you need further clarification or support. T&B, Domic Vo

Shiv 20 Reputation points

2025-10-06T10:26:57.6633333+00:00

Thanks for the detailed explanation, that aligns with what we’ve observed.

Actually, we’ve already implemented this approach behind the scenes of our “Run Windows” option, where we programmatically switch the shell back to explorer.exe and trigger a relogin. Unfortunately, the challenge is that this only works if we run the app under the SYSTEM account, which we were hoping to avoid. (https://free.blessedness.top/en-us/windows/configuration/shell-launcher/quickstart-kiosk?tabs=ps)

Is there any way to perform this shell switch without running the app as SYSTEM? We can live with the logoff/logon requirement, but ideally we’d like to handle the change from within our app running under a regular or administrator (non-SYSTEM) user context.

Appreciate your clarification, this helps confirm our findings!

Shiv 20

This is what we have tried from our app. Works only if I run this as SYSTEM user.

psexec.exe -i -s ourapp.exe

bool configure_or_reset_shell_launcher(bool set)
{
    // XML configuration for shell
    UnicodeString xmlConfig =
        L"<?xml version=\"1.0\" encoding=\"utf-8\"?>"
        L"<ShellLauncherConfiguration "
        L"xmlns=\"http://schemas.microsoft.com/ShellLauncher/2018/Configuration\" "
        L"xmlns:V2=\"http://schemas.microsoft.com/ShellLauncher/2019/Configuration\">"
        L"<Profiles>"
        L"<DefaultProfile>"
        L"<Shell Shell=\"%SystemRoot%\\explorer.exe\"/>"
        L"</DefaultProfile>"
        L"<Profile Id=\"{EDB3036B-780D-487D-A375-69369D8A8F79}\">"
        L"<Shell Shell=\"Path\To\OurApp\" "
        L"V2:AppType=\"Desktop\" V2:AllAppsFullScreen=\"true\">"
        L"<ReturnCodeActions>"
        L"<ReturnCodeAction ReturnCode=\"0\" Action=\"DoNothing\"/>"
        L"<ReturnCodeAction ReturnCode=\"-1\" Action=\"DoNothing\"/>"
        L"<ReturnCodeAction ReturnCode=\"255\" Action=\"DoNothing\"/>"
        L"</ReturnCodeActions>"
        L"<DefaultAction Action=\"DoNothing\"/>"
        L"</Shell>"
        L"</Profile>"
        L"</Profiles>"
        L"<Configs>"
        L"<Config>"
        L"<Account Name=\"Administrator\"/>"
        L"<Profile Id=\"{EDB3036B-780D-487D-A375-69369D8A8F79}\"/>"
        L"</Config>"
        L"<Config>"
        L"<Account Name=\"Cashier\"/>"
        L"<Profile Id=\"{EDB3036B-780D-487D-A375-69369D8A8F79}\"/>"
        L"</Config>"
        L"</Configs>"
        L"</ShellLauncherConfiguration>";

    HRESULT hr;
    bool success = false;

    IWbemLocator* pLocator = nullptr;
    IWbemServices* pServices = nullptr;
    IEnumWbemClassObject* pEnumerator = nullptr;
    IWbemClassObject* pObj = nullptr;
    ULONG returned = 0;

    // Assuming CoInitializeEx and CoInitializeSecurity have already been called.
    CoInitializeEx(NULL, COINIT_MULTITHREADED);
    CoInitializeSecurity(
        NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);

    hr = CoCreateInstance(CLSID_WbemLocator, nullptr, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID*)&pLocator);
    if (FAILED(hr))
    {
        log_event("configure_or_reset_shell_launcher() ", "Failed to create IWbemLocator");
        CoUninitialize();
        return false;
    }

    hr = pLocator->ConnectServer(SysAllocString(L"root\\cimv2\\mdm\\dmmap"), NULL, NULL, NULL, 0, 0, 0, &pServices);
    if (FAILED(hr))
    {
        log_event("configure_or_reset_shell_launcher() ", "Failed to connect to WMI namespace");
        pLocator->Release();
        CoUninitialize();
        return false;
    }

    hr = CoSetProxyBlanket(pServices,
                           RPC_C_AUTHN_WINNT,
                           RPC_C_AUTHZ_NONE,
                           NULL,
                           RPC_C_AUTHN_LEVEL_CALL,
                           RPC_C_IMP_LEVEL_IMPERSONATE,
                           NULL,
                           EOAC_NONE);
    if (FAILED(hr))
    {
        log_event("configure_or_reset_shell_launcher() ", "Failed to set proxy blanket");
        pServices->Release();
        pLocator->Release();
        CoUninitialize();
        return false;
    }

    hr = pServices->ExecQuery(SysAllocString(L"WQL"),
                              SysAllocString(L"SELECT * FROM MDM_AssignedAccess"),
                              WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY,
                              NULL,
                              &pEnumerator);
    if (FAILED(hr))
    {
        log_event("configure_or_reset_shell_launcher() ", "Failed to execute WMI query");
        pServices->Release();
        pLocator->Release();
        CoUninitialize();
        return false;
    }

    if (SUCCEEDED(hr) && pEnumerator)
    {
        hr = pEnumerator->Next(WBEM_INFINITE, 1, &pObj, &returned);
        if (returned == 0)
        {
            // No instance exists → create new one
            IWbemClassObject* pClass = nullptr;
            hr = pServices->GetObject(SysAllocString(L"MDM_AssignedAccess"), 0, nullptr, &pClass, nullptr);
            if (SUCCEEDED(hr) && pClass)
            {
                hr = pClass->SpawnInstance(0, &pObj);
                pClass->Release();
            }
        }

        if (pObj)
        {
            VARIANT vt;
            VariantInit(&vt);

            if (set)
            {
                log_event("configure_or_reset_shell_launcher() ", "Setting ShellLauncher");
                vt.vt = VT_BSTR;
                UnicodeString encodedXml = HtmlEncode(xmlConfig);
                vt.bstrVal = SysAllocString(encodedXml.c_str());
            }
            else
            {
                log_event("configure_or_reset_shell_launcher() ", "Resetting ShellLauncher");
                vt.vt = VT_NULL;
            }

            hr = pObj->Put(L"ShellLauncher", 0, &vt, 0);
            VariantClear(&vt);

            if (SUCCEEDED(hr))
            {
                hr = pServices->PutInstance(pObj, WBEM_FLAG_UPDATE_ONLY, nullptr, nullptr);
                success = SUCCEEDED(hr);

                if (!success)
                {
                    log_event("configure_or_reset_shell_launcher() ",
                              "Failed to put instance. Check if Shell Launcher is enabled in Windows Features.");
                    IWbemStatusCodeText* pStatusText = nullptr;
                    HRESULT hr2 = CoCreateInstance(CLSID_WbemStatusCodeText,
                                                   nullptr,
                                                   CLSCTX_INPROC_SERVER,
                                                   IID_IWbemStatusCodeText,
                                                   (LPVOID*)&pStatusText);
                    if (SUCCEEDED(hr2))
                    {
                        BSTR bstrError = nullptr;
                        if (SUCCEEDED(pStatusText->GetErrorCodeText(hr, 0, 0, &bstrError)) && bstrError)
                        {
                            wprintf(L"WMI Error: %s\n", bstrError);
                            SysFreeString(bstrError);
                        }
                        pStatusText->Release();
                    }
                }
            }

            // just log the value of success
            log_event("configure_or_reset_shell_launcher() ", success ? "Success" : "Failed");

            pObj->Release();
        }
        else
        {
            log_event("configure_or_reset_shell_launcher() ", "Failed to get or create MDM_AssignedAccess instance");
        }
    }
    else
    {
        log_event("configure_or_reset_shell_launcher() ", "No instances of MDM_AssignedAccess found");
    }

    if (pEnumerator)
        pEnumerator->Release();
    if (pServices)
        pServices->Release();
    if (pLocator)
        pLocator->Release();
    CoUninitialize();

    return success;
}

Answer 2

Answer from Microsoft (support email):

1- Shell Launcher v2 and Assigned Access APIs modify machine-level settings under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\ShellLauncher.

2- These changes affect all users, so Windows restricts them to SYSTEM or an elevated process with the right privileges.

3- Simply running as an Administrator often isn’t enough because the Assigned Access service enforces the policy.

Options and might work: Split Privilege Model

Keep your main app running under the user account.
Create a small helper service running as SYSTEM (or LocalSystem) that listens for requests from your app (via IPC or named pipe).
When the user selects “Run Windows,” the helper performs:
- Shell reassignment to explorer.exe using Shell Launcher APIs or PowerShell.
- Initiates logoff.
This is the most common pattern for kiosk scenarios.

Use Task Scheduler with Highest Privileges

Your app can trigger a scheduled task configured to run as SYSTEM.
The task executes the shell switch and logoff.

This avoids keeping a persistent SYSTEM service but still uses SYSTEM for the sensitive operation.

Share via

How can we enable full Windows desktop access from within a custom shell on Windows 11 IoT Enterprise?

1 additional answer

Your answer