The June 2026 Patch Tuesday updates, released on June 9, bring a notable security change to both Windows 11 and Windows 10. Microsoft is now blocking the loading of desktop.ini customizations—such as custom folder icons, localized names, and thumbnail preferences—when the folder originates from an untrusted source. This defense-in-depth measure aims to close a long-standing attack vector that allowed malicious actors to craft convincing phishing lures and camouflage malware.

What is desktop.ini?

desktop.ini is a hidden system file that Windows has used for decades to customize the appearance and behavior of folders. It enables features like:
- Custom folder icons (different from the generic yellow folder)
- Localized folder names (displaying “Documents” instead of “Documents” in a different language)
- Custom tooltips and InfoTips
- Folder thumbnail settings (for music, pictures, videos)
- Folder view templates

These settings are applied automatically when a user opens a folder containing a valid desktop.ini file. Typically, you’ll find legitimate desktop.ini files in system folders like Documents, Pictures, and Music, as well as in application directories to brand their folders.

The Security Risk

While convenient, desktop.ini files have been exploited for years. By placing a crafted desktop.ini in a malicious folder—say, inside a ZIP archive, on a USB drive, or on a compromised network share—an attacker could:
- Make a folder full of malicious executables look like a harmless “Photos” folder with a camera icon.
- Impersonate system folders like “Windows Update” to trick users into running malware.
- Use Unicode tricks in the LocalizedResourceName to display a fake name that hides the actual folder content.

Since Windows processes desktop.ini automatically upon folder navigation, users need not execute any file; simply browsing to the folder could trigger the misleading customizations. Although the desktop.ini file itself is not executable, it provides a social engineering foothold.

The June 2026 Patch Tuesday Change

Starting with the June 9, 2026 security updates (released as part of the regular Patch Tuesday cycle), Windows introduces a trust check for desktop.ini. Specifically, if a folder is marked as coming from an untrusted source—a state determined by the presence of a Zone.Identifier alternate data stream (also known as the “Mark of the Web”)—Windows will ignore any desktop.ini file within that folder.

In practice, this means:
- Unzipped archives from the internet: Custom icons and names no longer appear.
- Network shares mapped from untrusted locations: If the share is not in the Trusted Sites zone or lacks appropriate intranet markings, desktop.ini modifications are suppressed.
- Removable drives: Folders on USB sticks that were originally downloaded from the web and then copied may lose their custom look until the Zone.Identifier is removed.

The change affects all supported versions: Windows 11 (21H2, 22H2, 23H2, 24H2) and Windows 10 (22H2). Enterprise LTSC and Windows Server editions may also see this behavior if they have the update installed and have Windows Shell experiences enabled.

How It Works Under the Hood

The mechanism leverages the existing Zone.Identifier stream, which Windows uses to track the origin of files downloaded from the internet or received via email. When a folder inherits this mark (for example, because it was extracted from a .zip file that was itself downloaded), Windows Explorer now queries the zone information before applying any desktop.ini settings.

The logic is straightforward:
- If Zone.Identifier exists and contains a ZoneId > 1 (indicating Internet, Restricted Sites, or Untrusted), desktop.ini is blocked.
- If no Zone.Identifier is present, or if the ZoneId is 0 (Local Machine) or 1 (Trusted Sites), desktop.ini works as before.

Importantly, the folder itself remains accessible; only the cosmetic enhancements are stripped away. The folder reverts to its default icon and name as derived from the file system.

User Impact and Common Scenarios

For everyday users, this change might cause confusion. Imagine downloading a zip file containing a curated photo album with a custom folder icon. After extraction, the folder will show a generic icon instead of the intended one. Until the user manually removes the Zone.Identifier (for example, by clicking “Unblock” in the folder’s properties, or by running echo . >folder:Zone.Identifier:$DATA from command line—not recommended for inexperienced users), the customizations remain hidden.

Similarly, networked environments where departments share folders with corporate branding could see their tailored folders revert to a vanilla appearance. IT administrators may need to push Group Policies to exempt certain paths or to automatically unblock files from trusted internal sources.

Microsoft does not provide an official “off switch” for this security hardening. However, advanced users and administrators can work around it through a few methods:
1. Remove the Zone.Identifier: Right-click the folder, choose Properties, and on the General tab, click “Unblock.” This clears the mark and allows desktop.ini to function.
2. Deploy Group Policy: Set the policy “Do not preserve zone information in file attachments” under User Configuration > Administrative Templates > Windows Components > Attachment Manager. Note that this disables the Mark of the Web entirely, reducing overall security.
3. Add Network Locations to Trusted Sites: For intranet shares, add the server to the Trusted Sites zone via Internet Options. This lets Windows treat them as ZoneId 1.

Microsoft discourages blanket removal of Zone.Identifier because it would also disable other protections, such as SmartScreen and Office Protected View.

Enterprise Considerations

Enterprises with custom branding on shared drives should plan for this update. The behavior change could lead to help desk calls as users notice their meticulously organized team folders suddenly displaying generic icons.

Group Policy can be used to mark internal servers as trusted, but careful testing is advised. Windows Server file servers hosting desktop.ini files for folder customizations will not be intrinsically trusted unless the client machine has a matching zone policy.

Microsoft’s security bulletin (associated with this Patch Tuesday) likely provides further guidance on mitigating the impact in managed environments while preserving security.

A History of desktop.ini Exploits

This isn’t the first time Microsoft has had to address desktop.ini-related risks. In the past, malware families like Zeus and Emotet used desktop.ini to hide their payload folders. More recently, the Raspberry Robin worm spread via USB drives using desktop.ini to disguise malicious LNK shortcuts. By stripping the visual sugar coating from untrusted folders, Redmond raises the bar for such social engineering tactics.

Security researchers have long advocated for a “secure defaults” approach to these legacy features. The change aligns with Microsoft’s broader Secure Future Initiative, which prioritizes defensive hardening even if it slightly alters user experience.

What to Expect Going Forward

While the immediate effect is noticeable—especially for users who often handle content from the internet—the hardening is unlikely to cause widespread disruption. Most users interact with local folders that are not marked as untrusted, so their everyday desktop.ini customizations remain untouched.

Microsoft may refine the behavior in future updates, perhaps introducing more granular controls or a toast notification when desktop.ini is blocked, to inform users what’s happening. Feedback from the Windows Insider program will likely shape any adjustments.

For now, the June 2026 Patch Tuesday update serves as a reminder that even decades-old convenience features can become attack surfaces—and that security sometimes demands sacrificing a bit of shine.

How to Check if Your System is Affected

You can quickly test whether the update is in effect:
1. Download any ZIP file that contains a folder with a custom icon (e.g., a game mod or icon pack).
2. Extract it to a local drive.
3. Navigate to the folder in File Explorer.
4. If the folder appears with a generic icon and no special name, while the original source showed a custom icon, the block is active.

To verify the Zone.Identifier, open a command prompt in the parent directory and run:
notepad foldername:Zone.Identifier
If a file opens showing [ZoneTransfer] and ZoneId=3, the mark is present.

Conclusion

The June 2026 Patch Tuesday updates deliver a subtle but significant security improvement by neutering one of the oldest Windows customization features when it comes from untrusted sources. For Windows News readers, the key takeaway is clear: that charming little folder icon you downloaded might not show up until you explicitly trust it—and that’s a small price for a safer PC.

Stay tuned for more details as Microsoft’s official documentation rolls out. In the meantime, patch your systems and educate your users about the change.