Windows News
Microsoft’s June 2026 Patch Tuesday update has silently changed a decades-old Explorer behavior, causing custom folder icons and tooltips to vanish for unsuspecting Windows 11 users. The culprit: a security hardening tweak that now blocks File Explorer from loading untrusted desktop.ini files—the hidden configuration files that control folder appearance.
Affected updates are KB5094126 for Windows 11 version 24H2 (and the newly minted 25H2) and KB5093998 for Windows 11 23H2. Both were released on June 9, 2026, and introduce a new trust check that essentially applies a “mark of the web” (MotW) requirement to desktop.ini before Explorer honors its customization instructions.
For most users, the change went unnoticed. But power users, IT admins, and anyone who ever copied a customized folder from a network share, USB drive, or cloud-synced location quickly discovered that their folder icons reverted to vanilla yellow manila envelopes, and carefully crafted tooltip descriptions disappeared.
What is desktop.ini and why does it matter?
desktop.ini is a hidden system file that has lurked inside Windows folders since the days of Windows 95. It allows users and applications to customize a folder’s appearance without touching the system registry. Inside a desktop.ini, you might find directives like:
[.ShellClassInfo]
IconFile=C:\CustomIcons\myfolder.ico
IconIndex=0
InfoTip=This folder contains project files.
When File Explorer opens a folder, it checks for a desktop.ini. If found, it reads the settings and applies them on the fly. Users rely on this to give key directories distinctive icons, set preferred folder templates (pictures, videos, etc.), or add helpful tooltips. It’s a lightweight, portable customization mechanism—until now.
The security hardening: trust, but verify
In the June 2026 updates, Microsoft engineers extended the same logic used for downloaded files to desktop.ini. The Windows Attachment Manager adds a zone identifier (Zone.Identifier) alternate data stream to files arriving from the internet or other untrusted sources. This “mark of the web” tells the system that the file should be treated with suspicion. Before this update, File Explorer parsed any desktop.ini regardless of its origin. Now, it ignores desktop.ini files that are marked as originating from the Internet Zone or other untrusted zones.
A Microsoft security advisory (likely to be published as part of the monthly release notes) explains that a malicious desktop.ini could be crafted to exploit parsing vulnerabilities, trigger unwanted network connections via icon paths, or even execute code through custom property sheet handlers. While no active exploits are cited, the change aligns with a broader initiative to harden Windows against living-off-the-land binaries and file-based social engineering attacks.
Windows Insiders may have seen this change arrive earlier in the Dev Channel, but for general availability, it dropped unceremoniously in the mandatory Patch Tuesday cumulative updates. There is no dedicated KB article explaining the behavior change; the modification is buried in the security improvements section of the respective update notes.
The fallout: when folders lose their personality
The new trust check breaks folder customization in several real-world scenarios:
- Network shares and NAS drives: Files copied from a network location often retain the Internet Zone identifier unless explicitly unblocked. Entire shared project directories can go generic overnight.
- USB drives and external disks: Folders moved from a USB stick or external SSD may be flagged as untrusted, especially if the drive was formatted on another PC.
- Cloud-synced folders: If OneDrive or Dropbox downloads a folder as a zip or with MotW attached, the
desktop.iniinside becomes ignored. - Legacy backups and archives: Extracting a .zip file with customized folders results in all those
desktop.inifiles being blocked by default.
On Windows 11 24H2 and 25H2, the behavior is particularly noticeable because these versions display folder previews more aggressively. Users see a mix of customized and default folders, often failing silently with no error message. Tech forums and Reddit threads filled with confused complaints within days of the patch. Many users initially blamed corrupted profiles or display driver issues before zeroing in on the update.
Workarounds and mitigation
The most straightforward fix is to manually unblock the desktop.ini files. Right-click the file, select Properties, check the “Unblock” box on the General tab, and click OK. This removes the zone identifier. For bulk operations, PowerShell offers a one-liner:
Get-ChildItem -Path "C:\TargetFolder" -Recurse -Filter "desktop.ini" | Unblock-File
Administrators can also deploy a Group Policy to disable the MotW check for desktop.ini entirely, though this weakens the security posture. The exact policy path is not yet documented, but the setting is believed to reside under Administrative Templates\Windows Components\File Explorer and is called something akin to “Do not check zone information for desktop.ini files.” Editing the registry directly may be possible with a DWORD value under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer, but tinkering without official guidance is risky.
For network shares, the underlying issue is that the file server stamps files with a zone identifier when accessed over the SMB protocol in certain configurations. Switching to using DFS namespaces or adjusting NTFS permissions can sometimes prevent the zone identifier from being added, but this is not a universal solution.
The bigger picture: Windows security evolution
Microsoft’s decision to clamp down on desktop.ini is part of a multi-year initiative to make Windows “secure by default.” Recent examples include:
- Blocking macros in Office files from the internet
- Hardening the print spooler against Point and Print driver installation
- Disabling SMB1 and guest authentication by default
- Adding MOTW checks to LNK files and ISO mounts
Each hardening has caused friction for users and admins, but collectively they raise the bar against common attack vectors. desktop.ini attacks may sound esoteric, but in 2025, security researchers demonstrated how a crafted .zip file containing a desktop.ini with a malicious IconFile argument could force Explorer to load a specially crafted DLL from a remote path, executing arbitrary code simply by browsing to a folder. The June 2026 patch likely addresses a variant of this technique.
For enterprise environments, the challenge is balancing security with usability. IT departments should test the update in a ringed deployment, identify which file shares are affected, and use tools like Sysinternals Streams to audit and remove zone identifiers proactively.
What’s next?
The change is permanent. Microsoft rarely rolls back such hardening measures. Instead, expect a formal support article within the next month that details the behavior and provides the official policy path. PowerToys might gain a module to bulk-unblock files, and third-party file managers may add built-in workarounds.
In the meantime, users who rely on folder customization must adjust their workflows. For new folders created locally, desktop.ini will be trusted by default. The pain comes from moving or copying existing structured folders. The solution is simple: if a folder looks wrong, check for a blocked desktop.ini and unblock it.
The June 2026 update is a reminder that in Windows 11, security trumps sight—even if it means your meticulously organized project folders look a little less vibrant for a while.