Microsoft shipped its June 9, 2026 security patch for Windows 11, and one change is already causing a stir among power users and IT admins. Update KB5094126, which applies to both Windows 11 version 24H2 and the newer 25H2, deliberately stops File Explorer from honoring many desktop.ini folder customizations. The move is a security hardening measure, but it also strips away a feature that millions of users have relied on for years.
File Explorer will now check whether a desktop.ini file comes from a trusted source before applying any of its instructions. If the file resides on a network share, a removable drive, or any location Windows considers untrusted, the folder’s custom icon, tooltip, and other metadata will vanish, replaced by the plain yellow folder default. This behavior isn't a bug — it's the intended result of a new trust rule woven into the very fabric of the file browsing experience.
What desktop.ini Does and Why It Matters
The desktop.ini file is a hidden system file that has been part of Windows since Windows 95. It gives users and applications the ability to customize how a folder looks and behaves inside File Explorer. You can assign a unique icon, provide a localized folder name, add a tooltip description, or even specify a custom folder template for music, pictures, or videos. In corporate environments, IT departments often use desktop.ini to brand shared drives with company logos or to visually distinguish departmental folders. Home users and enthusiasts spend hours curating their digital libraries with personalized icons.
The mechanics are simple: when File Explorer encounters a folder with the system attribute set, it looks for a desktop.ini file inside. That text file contains sections like [.ShellClassInfo] with keys such as IconResource, InfoTip, and LocalizedResourceName. Historically, Explorer has always read and applied these settings unless the user had turned off the viewing option “Show hidden files” (though desktop.ini customizations worked even with hidden files hidden).
The June 2026 Change: A Trusted-Location Gate
KB5094126 introduces a fundamental shift. Starting with this update, File Explorer evaluates whether the folder holding the desktop.ini can be trusted. Microsoft’s security team has codified a set of rules that determine trustworthiness. While the exact algorithm hasn’t been fully documented, early testing indicates that the trust check considers:
- Whether the folder is on a local fixed drive formatted with NTFS and tagged as a system or boot volume.
- Whether the drive is protected by BitLocker.
- Whether the file’s origin can be validated via a digital signature or a known good location marker.
- Whether the path falls into a set of known high-risk zones, such as downloads, temporary folders, or removable media.
If the folder doesn’t meet the trust criteria, the desktop.ini is silently ignored. No error message appears. The folder simply displays its default icon and name, as if the desktop.ini didn’t exist.
This change affects not only manually placed desktop.ini files but also those created by legitimate applications. Software that customizes folder views—backup tools, media managers, or shell extensions—may suddenly find their customizations broken. Network drives, USB sticks, and SD cards are hit especially hard, because Windows considers them inherently less trustworthy than internal drives.
The Security Rationale: Phishing and Malware
Why would Microsoft take such a disruptive step? The answer lies in a class of attacks that abuse desktop.ini to trick users. By planting a malicious desktop.ini on a network share or inside a ZIP archive, an attacker can make a dangerous folder masquerade as something innocent. For example, a folder containing malware could be given the icon and display name of the Control Panel or the Recycle Bin. A victim browsing a shared drive might inadvertently open the folder expecting a system tool, only to launch ransomware.
These attacks have been documented in the wild. In 2023, a wave of phishing campaigns used fake OneDrive folders with convincing icons to harvest credentials. The desktop.ini file inside those folders contained a LocalizedResourceName that pointed to a deceptive string, and the IconResource referenced a system DLL to mimic a trusted application. Windows Defender and other anti-malware solutions could flag the executable payload, but the folder disguise itself often slipped past defenses.
By defaulting to a deny posture, KB5094126 closes this vector. Even if an attacker plants a rogue desktop.ini, File Explorer will simply ignore it unless the user has explicitly marked the location as trusted. This is a classic security trade-off: reduce functionality to shrink the attack surface.
Real-World Impact: Disappearing Icons and Frustrated Users
The initial reports started appearing on forums and social media within hours of the patch’s release. Users described how their carefully organized network drives suddenly reverted to a sea of identical yellow folders. Photographers who relied on custom icons to identify project folders were forced to read folder names again. IT admins received calls from employees asking why the department’s shared drive “looks weird.”
One enterprise administrator noted that the change broke a legacy document management system that used desktop.ini to color-code folders based on workflow status. The workaround required re‑engineering the entire folder structure or moving all data to a local server—an impractical solution for a branch office with terabytes of files.
Home users weren’t spared. Someone who had meticulously customized their music collection with artist icons discovered that the icons only appeared when the drive was directly attached to their PC, not when accessed over the home network. Another user reported that even folders on a secondary internal SATA drive lost their customizations because the drive wasn’t BitLocker-encrypted and was therefore considered untrusted.
The backlash has been swift, but Microsoft’s security response has remained firm. In a support article accompanying the update, the company stated: “To protect users from social engineering techniques that abuse folder properties, File Explorer now requires desktop.ini files to originate from trusted locations.” The article advises users to move critical folders to trusted drives or to adjust group policy settings, but it does not provide a way to return to the old behavior entirely.
Workarounds and Mitigations
For users and organizations that cannot live without desktop.ini customizations, several paths forward exist, though none are perfect.
1. Move Content to Trusted Locations
The most straightforward method is to ensure that folders containing desktop.ini are stored on a drive that Windows deems trusted. For most systems, this means the operating system’s own NTFS volume with BitLocker enabled. Network drives can sometimes gain trust through domain policies that mark them as intranet sites, but this requires administrative action.
2. Group Policy Adjustments
Microsoft has added a new administrative template policy: “Turn off desktop.ini trust evaluation.” Enabling this policy disables the trust check entirely, restoring the pre‑KB5094126 behavior. However, doing so opens the door to the very attacks the update was designed to prevent. The policy is available under Computer Configuration > Administrative Templates > Windows Components > File Explorer. It must be applied thoughtfully and only in environments where other security measures—such as strict network segmentation and endpoint detection—are in place.
3. Registry Hack
For Windows 11 Pro or Enterprise editions, power users can toggle the trust requirement via the Registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer]
"DisableDesktopIniTrustCheck"=dword:00000001
Setting the value to 1 disables the trust evaluation; setting it to 0 (or deleting the key) enforces the new secure default. A reboot or a restart of the Explorer process is required for the change to take effect.
4. Use Shell Extensions or Third-Party Tools
Some third-party file managers (e.g., Total Commander, Directory Opus) do not rely on the same shell components as File Explorer and may continue to display desktop.ini customizations unaffected. However, these tools are not integrated into the standard Windows workflow and may not be suitable for all users.
5. Wait for a Future Update
Given the community feedback, Microsoft may refine the trust model in upcoming cumulative updates. It’s possible that a future patch will introduce a more granular whitelist, allowing users to designate specific drives or network paths as trusted without opening the entire system. Until then, the workarounds above remain the primary options.
Technical Deep Dive: How the Trust Check Works Under the Hood
While Microsoft hasn’t published the exact algorithm, security researchers have begun reverse‑engineering the behavior. The new logic appears to be implemented in the Windows Shell, specifically in the SHGetDesktopFolder and CDesktopFolder COM classes. When a folder is opened, the shell queries the file system for a desktop.ini and then passes the file path to a new security validator function.
This validator checks:
- The file’s zone identifier (Mark-of-the-Web) to see if it originated from the internet.
- The integrity level of the folder’s container (low integrity folders like
%TEMP%are automatically rejected). - The trust status of the drive as reported by the Windows Security Center. Drives that are not protected by BitLocker or that are marked as removable are considered low-trust.
- The file’s own DACL (discretionary access control list) to ensure that the current user’s account or a trusted installer wrote the file.
If any of these checks fail, the shell skips the desktop.ini entirely and falls back to default folder attributes.
This multi‑layered validation explains why some customizations survive and others don’t. A desktop.ini on the system drive created by a user with administrative privileges is likely to pass all checks. The same file copied to a USB stick fails the drive-trust and write-origin checks.
Enterprise Considerations
Organizations that have built workflows around folder customization face a rocky transition. Group Policy Objects (GPOs) can push the registry workaround, but that effectively nullifies a security patch that might be necessary for compliance. Security teams must weigh the risk of phishing attacks against the operational disruption.
For many, a middle ground involves cataloging all critical shared folders and migrating them to DFS (Distributed File System) namespaces hosted on fully encrypted, domain-joined servers. This can satisfy the trust validator while maintaining centralized management. However, branch offices with slow WAN links may suffer performance penalties if files are moved to a central site.
Another angle is the impact on legacy line‑of‑business applications. Some custom software uses desktop.ini to dynamically update folder appearances based on database statuses. These applications will break until developers rewrite them to use alternative customization methods, such as shell extensions or custom property providers.
The Broader Context: Windows 11’s Tightening Security Posture
KB5094126 is not an isolated tweak. It fits into a pattern of incremental security hardenings that Microsoft has been applying to Windows 11 since its launch. Previous measures included:
- Enforcing driver signing and blocking vulnerable drivers by default.
- Removing the ability to run macros in downloaded Office documents without explicit user consent.
- Disabling legacy protocols like SMB1 and TLS 1.0/1.1.
Each change broke something for a subset of users, and each was met with resistance. Yet over time, the community adapted, and the overall ecosystem became safer. The desktop.ini trust rule is likely to follow a similar trajectory: initial frustration, followed by gradual adoption of new practices and tools.
What Should You Do Right Now?
If you’ve installed KB5094126 and noticed missing folder icons, your first step is to check whether the affected folders are on a trusted drive. Open File Explorer, navigate to the folder, right‑click the drive in “This PC,” and select Properties. Look for the “Security” tab and check if BitLocker is enabled. If the drive isn’t encrypted, you can turn on BitLocker (available on Pro and Enterprise editions) to bring it into the trusted zone.
For network shares, contact your IT department. They can evaluate whether the GPO workaround is appropriate or whether a server‑side migration is needed. In the meantime, you can use the registry edit described above if you have local administrative privileges and accept the risk.
Keep an eye on official Microsoft channels. Early feedback may prompt a mid‑cycle update that tempers the trust checks, perhaps by allowing users to manually whitelist paths without completely disabling the feature.
Final Thoughts
Microsoft’s decision to enforce desktop.ini trust evaluation in Windows 11 KB5094126 is a classic security‑versus‑usability dilemma. The update closes a dangerous loophole that has been abused in real‑world attacks, but it also pulls the rug out from under a feature that many users have come to depend on. Whether this was the right call will become clear over the next few months as adoption spreads and the community finds its footing.
For now, Windows 11 users must choose between accepting the cleaner—but more generic—folder look, or digging into policies and registry keys to reclaim their customizations. Either way, one thing is certain: the days of unbridled desktop.ini magic are over, at least until Microsoft finds a more nuanced solution.