Microsoft’s June 9, 2026 security updates bulldozed a beloved Windows customization feature, leaving users staring at bland yellow folders instead of their meticulously chosen icons. The patches, delivered via Windows Update, Windows Server Update Services, and the Microsoft Update Catalog, altered how Windows 10, Windows 11, and supported Windows Server releases handle desktop.ini files. Overnight, custom folder icons, localized names, and other desktop.ini-driven tweaks broke for untold numbers of users—all in the name of locking down a potential attack vector.

What desktop.ini Does—and Why It Matters

For decades, desktop.ini has been the quiet engine behind folder customization in File Explorer. This hidden system file, when placed inside a folder, can dictate the folder’s icon, infotip, and display name. It’s how Windows lets you right-click a folder, hit Properties, and assign a custom icon from a .ico or .dll file. It’s also how localized folder names appear—think “Documents” instead of “Documents” on a German system.

Desktop.ini is plain text, filled with simple directives. A typical file might read:

[.ShellClassInfo]
IconResource=C:\Icons\MyFolder.ico,0
LocalizedResourceName=My Custom Name

Windows reads these directives when displaying the folder, overlaying the custom icon and swapping the display name. Without them, folders fall back to the generic manila icon and their actual file-system name. The mechanism is ancient, dating back to Windows 95, and it has persisted through every major release.

The June 2026 Patch: What Microsoft Changed

The June 9, 2026 cumulative updates introduced a new security check that treats desktop.ini files as potentially dangerous when they carry the Mark of the Web (MotW). MotW is an NTFS alternate data stream that Windows attaches to files downloaded from the internet or extracted from certain archives. It tells Windows and applications like Microsoft Office to open the file in a protected, restricted mode.

For years, Windows generally ignored MotW on desktop.ini. Because these files can only instruct File Explorer to change icon resources and localized names—and cannot execute code—they were considered low-risk. But security researchers recently demonstrated that a malicious desktop.ini could point to a crafted DLL that, while not executed directly, could leak information or cause File Explorer to crash in exploitable ways. Microsoft’s advisory (released alongside the patches) rated the vulnerability as “Important” but not “Critical.”

The fix: starting with the June 2026 updates, Windows now checks for MotW on desktop.ini every time File Explorer enumerates folders. If the desktop.ini has an internet-origin MotW, Windows ignores the file entirely. No custom icon. No localized name. Just the default folder appearance.

Which Versions Are Affected

The change rolled out to all currently supported Windows editions:

  • Windows 10 version 22H2 (the final Windows 10 feature update)
  • Windows 11 versions 23H2 and 24H2
  • Windows 11 LTSC 2024
  • Windows Server 2022
  • Windows Server 2025

Windows 10 IoT and Windows 11 IoT editions are also affected, causing headaches in kiosk and embedded scenarios where folder customization is used for branding or user guidance.

Real-World Impact: Icons Vanish, Folders Revert

Within hours of the update, forums and social media lit up with reports. Users who had painstakingly customized their media libraries, project folders, and even system folders like Documents and Pictures found those customizations gone. The folders reverted to default icons, and any localized name set via desktop.ini disappeared, leaving the raw folder name visible—often a GUID or a command-line-unfriendly string.

One Windows 11 user described the experience: “I rebooted after installing KB5039212 (the June cumulative update) and my entire custom icon setup across three drives was gone. I thought my profile was corrupted.” The user, who maintains a large collection of icon-customized folders for video editing projects, spent hours re-applying icons only to realize the desktop.ini files were being ignored because they carried an MotW—their NAS had been mapped as a network drive, and Windows had tagged the files as coming from an untrusted source.

Network shares and external drives were hit hardest. Many users store portable apps or project folders on USB drives with custom icons for quick identification. When those drives were formatted or copied on a machine prior to the June patches, their desktop.ini files often lacked MotW. But if the files were ever downloaded from a cloud sync service or copied from a network location, Windows would have stamped them with the internet zone identifier. The June update then silently suppressed them.

The File Explorer behavior change also broke familiar system folders. Some users who had used third-party tweakers to customize their “Downloads,” “Music,” or “Videos” folders found those reset. Even the default user profile folders, which rely on desktop.ini for their localized display names, occasionally reverted—though Microsoft claims it exempted known system locations. Reports indicate that on some non-English Windows installations, the “Documents” folder appeared as “Documents” in File Explorer until the system rebuild its desktop.ini without MotW.

The MotW Problem: Why Your desktop.ini Got Flagged

The Mark of the Web is insidious. When you download a ZIP file containing a desktop.ini, extract it on another machine, or sync it via OneDrive or Dropbox, the MotW often follows the file. Dragging files from a web browser or email attachment also applies the mark. Even copying files over a network can trigger Zone.Identifier alternate data streams if Group Policy or mapped drive settings treat the source as internet zone.

Before June 2026, this never mattered for desktop.ini. Now it does. To make matters worse, Windows provides no obvious visual indicator that a desktop.ini is being ignored. There’s no error message, no tray notification, no entry in Event Viewer. The folder simply looks wrong. The only way to detect the issue is to open the file’s properties dialog and check for an “Unblock” checkbox under the General tab—or inspect the NTFS stream with a command-line tool.

Workarounds: What Users Can Do Today

Until Microsoft refines its approach, users have several options, each with trade-offs:

1. Manually Unblock desktop.ini Files

Right-click each desktop.ini, select Properties, and click “Unblock.” This removes the Zone.Identifier stream. But it’s hopelessly tedious for hundreds of folders. Power users can use PowerShell:

Get-ChildItem -Path C:\ -Recurse -Filter desktop.ini -Hidden -Force | Unblock-File

Run this from an elevated prompt on the affected drive. It will strip MotW from all desktop.ini files, restoring custom icons. Caution: this also removes the unblock signature from any other downloaded files in those folders, potentially lowering security.

2. Disable MotW Checking for the Folder

You can add the path to Windows’ trusted locations list via Group Policy or by adding a registry key under:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes

But this is unsupported and may break in future updates. It also opens the door to malicious desktop.ini files in those paths.

3. Recreate desktop.ini Files from Scratch

If you delete the existing desktop.ini and create a new one directly in the folder (not by copying), the file will not have MotW. Use Notepad, save as “desktop.ini” (including quotes to avoid .txt extension), and set the attributes to Hidden and System:

attrib +h +s desktop.ini

Then apply your customization. This is manual but guarantees the file is considered local.

4. Use Third-Party Tools

Tools like “CustomFolder” or “IconPackager” have been updated to handle the MotW issue by automatically unblocking desktop.ini during icon application. Stardock’s WindowBlinds and some other shell-enhancement suites already bypass the problem by injecting custom icon handlers rather than relying on desktop.ini.

Microsoft’s Stance: Security Over Convenience

In its advisory, Microsoft acknowledged the side effect but emphasized the security benefit. “We are aware that some users may experience loss of folder customization after applying this update,” the company wrote. “This change helps prevent a class of information-disclosure attacks that leverage crafted desktop.ini files to probe for resources or cause denial-of-service conditions in File Explorer.” The advisory recommends users ensure their desktop.ini files are created locally or use the Unblock method.

CrowdStrike and other security vendors have praised the change, noting that desktop.ini has been overlooked as an attack surface for years. “We’ve seen in-the-wild malware that abuses desktop.ini to harvest information about the computing environment,” said a senior researcher at a security firm, speaking on condition of anonymity. “This patch closes a door that should have been shut a long time ago.”

But the inconvenience is real. For IT administrators managing hundreds of endpoints with custom folder structures—such as shared drives mapped via GPO—the change broke carefully crafted user experiences overnight. “We had to roll back the June update on 200 terminals because our department templates use custom icons to guide users,” said an IT manager in the education sector. “The cost of reengineering that setup is more than the risk the vulnerability posed in our environment.”

What’s Next: A Patch for the Patch?

History suggests Microsoft will refine this change. The company has faced similar backlash before, such as when it blocked macros in Office by default and then had to roll out more granular controls. Windows Insiders already report that build 26200 (from the Canary channel) introduces a new Group Policy setting: “Allow desktop.ini from internet zones.” It defaults to disabled, but administrators can enable it for specific paths or all paths. The setting is expected to land in a production cumulative update in the coming months.

In the meantime, users must decide whether the custom look of their folders is worth the manual effort—or the reduction in security posture. The saga underscores a perennial tension in Windows: backward compatibility and user control versus an ever-tightening security model.

The Bigger Picture: MotW Creep

This isn’t the first time Microsoft has extended MotW enforcement. Over the past few years, the company has increasingly blocked execution of files with the internet zone identifier. Windows Defender SmartScreen already intercepts downloaded executables. Office blocks macros and ActiveX in MotW-tagged documents. Windows itself now blocks certain script files and MSI installers from running if they have the mark. Extending this to desktop.ini is a logical—though painful—progression.

Security experts point out that desktop.ini files, like .lnk shortcuts and .url files, have long had the ability to reference external resources. While they can’t directly execute code, they can leak information about the local system (by loading a custom DLL for an icon index) or cause Explorer to repeatedly crash, leading to a denial-of-service. In environments where every user is a local admin, that’s a low concern. But in enterprise settings with locked-down desktops, such behavior could be weaponized.

Lessons for Enthusiasts and Admins

For Windows enthusiasts who cherish folder customization, the June 2026 update is a reminder that no feature is too innocent to escape the security dragnet. To future-proof your customizations, consider these best practices:

  • Always create desktop.ini files locally, never import them from downloaded archives or email.
  • After applying custom icons, immediately check for and strip the Zone.Identifier stream.
  • Migrate from folder-level customizations to library-based organizational schemes that rely less on icon tricks.
  • Keep an eye on Insider build notes for the promised Group Policy control.

Administrators should audit shared drives and user profile directories for desktop.ini files that may have picked up MotW through backup rotations or file migrations. A proactive script can unblock them across the organization, but only after assessing the risk of the folders’ contents.

The Verdict

Microsoft’s June 9, 2026 updates plugged a legitimate hole, but the fallout proves that even a 30-year-old feature can become a casualty in the war against zero-day exploits. The desktop.ini trust change is here to stay, but the eventual introduction of granular policy controls will let users have their custom icons and lock them down, too. Until then, the workaround is a PowerShell script and a lot of patience.