Microsoft’s June 9, 2026 security update for Windows 11 introduced a quiet but disruptive change that prevents File Explorer from applying desktop.ini folder customizations from locations it now considers untrusted, including network shares, removable drives, and downloaded folders. Tens of thousands of users and IT administrators who rely on custom folder icons, templates, and localized names to organize shared drives and portable storage flooded support forums within hours of the patch, reporting that their carefully crafted folder views had inexplicably reverted to generic yellow icons.

Patch Tuesday KB (the update is delivered automatically via Windows Update) was never advertised as a functional change. The security bulletin focused on a tightly guarded vulnerability, but the real-world fallout has been the sudden loss of visual customizations that many businesses and power users have depended on for years. A Microsoft spokesperson confirmed that the change is by design, intended to close an attack vector where malicious desktop.ini files could exploit the way File Explorer parses these configuration files.

The desktop.ini mechanism: a double‑edged sword

For decades, Windows has supported folder customization through a hidden system file named desktop.ini. Dropping this text file into a folder lets users override the default appearance: they can assign a custom icon, specify a localized display name, set a folder template (pictures, music, videos) that determines the default view columns, and even control the InfoTip that appears on hover. The format is simple; a typical desktop.ini might look like:

[.ShellClassInfo]
IconFile=%SystemRoot%\\system32\\SHELL32.dll
IconIndex=20
LocalizedResourceName=@%SystemRoot%\\system32\\shell32.dll,-21791

A folder with this file would display a custom icon and a translated name. File Explorer processes desktop.ini automatically whenever a folder is opened, reading the attributes and applying the changes on the fly. The file’s hidden and system attributes normally prevent accidental editing, but any user with write permission to a folder can place or modify a desktop.ini.

This convenience has always carried a risk. Because desktop.ini is essentially a script that File Explorer interprets without warning, a crafted file could, in theory, redirect icon resources to paths under an attacker’s control, exploit parsing bugs in the shell, or mislead users by disguising a malicious folder as a benign system directory. Microsoft has periodically hardened the handling, but the June 2026 update represents the most aggressive lock‑down yet.

What the June 2026 security update changed

The core of the update is a new validation layer that assigns a trust level to the location from which a desktop.ini is read. According to the associated security advisory (Microsoft has not publicly released a CVE at the time of writing, though it is believed to address a privately reported issue), File Explorer now makes a distinction between:

  • Trusted local fixed drives (internal SSDs and HDDs, including the system drive)
  • Untrusted sources: network paths (UNC or mapped drives), removable media (USB flash drives, external HDDs), and folders marked as having originated from the internet (via Zone.Identifier alternate data streams)

When a folder resides on an untrusted source, File Explorer simply ignores its desktop.ini. The folder renders with the default generic icon, no localized name, and no custom template. The file itself remains on disk—File Explorer just refuses to act on it.

The update introduces a new Group Policy setting, “Allow desktop.ini customizations from untrusted locations,” located under Administrative Templates > Windows Components > File Explorer. By default, the policy is Not Configured, which translates to the restrictive behavior. Administrators can set it to Enabled to restore the old behavior, but Microsoft warns that doing so increases the attack surface. There is also a per‑machine registry option:

HKLM\\Software\\Policies\\Microsoft\\Windows\\Explorer
DWORD: AllowDesktopIniFromUntrusted = 1

For individual users who lack access to Group Policy, a separate registry key under HKCU can be added, though it requires admin privileges to create the corresponding policy entry. Without centralized management, most consumers will remain stuck with the new default.

Immediate impact on businesses and power users

The change has been felt most acutely in environments where network shared folders serve as department repositories or project workspaces. IT administrators often use desktop.ini to brand folders with department logos, color‑code project statuses, or apply views optimized for specific content (e.g., music folders that default to “Artist” and “Album” columns). After installing the June update, these visual cues vanished across entire organizations, leaving employees staring at uniform yellow icons and column layouts that no longer matched the data.

“We have over 12,000 folders on our NAS, each with a custom icon indicating the project phase,” wrote one systems engineer on Microsoft’s Tech Community. “Post‑update, everything looks the same, and our PMs are sending confused tickets by the minute.” Many users also reported that their removable media—external drives used for backup catalogs or photo libraries—lost their custom views, causing significant productivity hits.

Consumers who had personalized their own libraries and OneDrive folders (though OneDrive folders are local, they are sometimes flagged with a Zone.Identifier if downloaded) also saw reverting icons. The change took many by surprise because the security advisory did not emphasize the functional regression; it was buried in technical notes about a “defense‑in‑depth improvement for Shell parsing.”

Why Microsoft pulled the trigger now

Although Microsoft has not disclosed full details, security researchers speculate that the vulnerability being fixed could have allowed code execution simply by placing a malicious desktop.ini in a shared folder. A remote attacker who convinced a user to access a network share or insert a rigged USB drive could potentially compromise the machine through a carefully crafted icon file path or via a buffer overrun in the Shell’s desktop.ini parser. The fact that the change shipped as a security update rather than a feature update underscores the urgency.

Older versions of Windows 10 and Windows 11 received mitigation-like patches earlier (the same logic was present in test builds of the Windows Insider Dev Channel since early 2026), but the broad rollout was accelerated when a proof‑of‑concept exploit began circulating privately. The update also includes tighter control over how File Explorer resolves icon file paths: it now enforces strict path validation and disallows certain escape characters that could be used to traverse directories.

Workarounds and Microsoft’s guidance

For organizations that cannot immediately redesign their folder structures, Microsoft’s primary recommendation is to use the Group Policy setting to re‑enable desktop.ini processing—but only after conducting a risk assessment. The official support article advises that enabling the policy is safe only if all network shares and removable media that users access are fully trusted and malware‑free, which is a heavy assumption for large enterprises.

Alternative approaches include:

  • Replicating customizations via desktop.ini on a local cache: In hybrid work setups, centrally sync the folder structure to local drives and apply desktop.ini there, leaving the remote copy unstyled. This is bandwidth‑intensive and fails for collaborative real‑time access.
  • Switching to Windows Libraries: Libraries can aggregate scattered folders under a unified view that supports some customization, though they do not support per‑folder icons directly.
  • Using third‑party file managers: Applications like Total Commander or One Commander have their own icon assignment systems that are unaffected by Windows’ new restrictions, but this is a non‑starter for deployments where consistency and training matter.
  • Re‑evaluating trust levels: Some admins began exploring whether they could mark remote folders as trusted by modifying their Zone.Identifier or by hosting them on SMB shares with certain security descriptors. Early tests suggest that File Explorer’s trust check goes beyond simple zone flags and involves a combination of volume GUID and capability checks on the file system driver. No reliable unsupported bypass has emerged.

Microsoft has not indicated whether they will add a more granular option—for example, allowing customizations only from specific authenticated servers or domains—in a future update. Feedback in the Windows Feedback Hub has been vocal, and the Windows engineering team acknowledged the disruption in a community reply, stating they are “listening to feedback on the balance between security and usability.”

Historical context: the slow death of desktop.ini

This is not the first time desktop.ini functionality has been curtailed. Windows 10 version 1803 silently stopped processing desktop.ini for the root of a drive when viewed in “This PC” to prevent drive icons from being hijacked. Windows 11 24H2 introduced a mitigation that blocked desktop.ini files with overly long paths or those referencing uncompiled HLSL shaders (an odd vector that had been demonstrated at Black Hat). The June 2026 update completes a trajectory that began when Microsoft realized the flexibility of desktop.ini was too easily repurposed for social engineering and exploitation.

Long‑time Windows enthusiasts see the change as another step away from the customizable shell that defined the Windows UX. Where once users could freely skin folders, assign sounds to events, and tweak every pixel, the modern security landscape demands a locked‑down, predictable environment. The irony is that desktop.ini remains heavily used by Microsoft’s own shell team: the system’s “Documents,” “Pictures,” and “Music” folders all rely on desktop.ini to display their special icons and localized names on every Windows installation. Those system‑trusted folders are unaffected because they reside on the system drive and have an additional trust flag embedded in their binary shell properties.

What this means for Windows 11 going forward

The June 2026 update is a reminder that security patches can have sweeping functional consequences. Many administrators had grown accustomed to Patch Tuesday altering only security‑related code; when a stability or feature change sneaks in under the same banner, the resulting confusion is magnified. Because the patch arrived mid‑development cycle for Windows 11 version 25H2 (expected in the second half of 2026), it will likely be baked into the baseline installation for all new Windows 11 PCs, making the restrictive behavior the permanent default.

Organizations that rely heavily on visual folder customizations must now plan a transition. Some will bite the bullet and enable the Group Policy, accepting the security risk and hoping their perimeter defenses are sufficient. Others will accelerate moves toward digital asset management systems that embed metadata directly in files rather than relying on shell vestiges. A vocal minority has started campaigns on Twitter and Reddit, calling for Microsoft to add a per‑share or per‑drive opt‑in rather than a blanket policy.

Practical steps for IT administrators

If you manage Windows 11 machines and have not yet deferred the June 2026 update, you can prepare by:

  1. Inventorying which shared folders depend on desktop.ini: Use PowerShell scripts to scan network locations for desktop.ini files and document their customizations. Knowing the scope will help you decide whether to rebuild those views or accept the new look.
  2. Testing the Group Policy in a pilot ring: Deploy the “Allow desktop.ini customizations from untrusted locations” policy to a small group and monitor for any abnormal Shell behavior or unexpected security events. Check that anti‑malware software is configured to scan desktop.ini files on access.
  3. Educating end users: Send communications explaining why their folder icons have changed. Without this step, help desks will be overwhelmed with tickets that read “my icons are broken.”
  4. Exploring Microsoft 365 and Azure File Shares: If your organization is moving to cloud‑based collaboration, note that Azure Files mounted as SMB shares exhibit the same restriction. Microsoft’s recommendation is to use SharePoint Online’s custom column formatting and view templates instead, which rely on JSON schema and are not affected by client‑side shell parsing.

A wake‑up call for legacy UI customization

The desktop.ini saga exposes a broader tension inside Windows: how much of the classic exploratory shell can be preserved without compromising modern security standards? Many utilities that power users love—classic context menu handlers, shell extensions, custom preview handlers—run inside the explorer.exe process with high privileges, making them lucrative targets. Microsoft’s long‑term roadmap points toward WinUI‑based experiences and sandboxed extensions, but those shifts take years.

For now, the June 2026 update leaves a clear fingerprint: on any patched Windows 11 machine, a USB stick or network share full of personal photos will look like a generic blob of files unless an administrator explicitly allows the old behavior. That may be a small price to pay for closing a dangerous door, but the thousands of disgruntled comments on Microsoft’s own community forums suggest that for many, the cure feels disproportionate to the ailment. As one poster put it, “I understand the security concern, but why not just warn me and ask before disabling something I’ve relied on for twenty years?”

Microsoft’s silence on whether more refined controls are coming is the one variable that keeps the issue simmering. With the Windows Feedback Hub item already gathering tens of thousands of upvotes, the question is not whether Microsoft will respond, but whether the response will arrive before the next feature update hardens this restriction further.