June 2026 Windows Security Update Blocks Desktop.ini Folder Icons via Trust

Microsoft’s latest Patch Tuesday dispatch has scrambled the way Windows reads desktop.ini files, leaving custom folder icons blank for millions of users. The June 9, 2026 cumulative updates for Windows 10, Windows 11, and supported Windows Server releases deliberately break folder customizations that rely on desktop.ini unless the file carries a valid Mark of the Web (MotW) trust stamp.

The change appears in the security-only and monthly rollup packages pushed through Windows Update, WSUS, and the Microsoft Update Catalog. It does not come with a separate advisory, landing instead as a silent hardening measure inside the servicing stack. Administrators and power users who discovered it early are calling it the most disruptive tweak to shell behavior since the removal of classic themes.

What desktop.ini does

desktop.ini is an old Windows shell primitive. Tucked into nearly every system folder—Documents, Pictures, Music—it supplies the Explorer namespace with a localized display name, a custom icon, tooltip text, or even a handler for a folder’s context menu. A typical two-line file looks like this:

[.ShellClassInfo]
IconFile=%SystemRoot%\\system32\\imageres.dll
IconIndex=-108

For decades, any folder that stored a desktop.ini with this formatting would immediately reflect the settings after a refresh. No elevated permissions, no external cache rebuild. The mechanism is so lightweight that themed icon packs, disk partition markers, and corporate folder templates all lean on it.

The June 2026 change

According to Microsoft’s internal revision notes, shared by Windows Insider MVPs shortly after the patches went live, the shell library shell32.dll now examines the Zone.Identifier alternate data stream attached to desktop.ini. If the stream is missing or reports a security zone other than Local Machine (zone 0) or Trusted Sites (zone 2), the entire [.ShellClassInfo] section is ignored.

In plain language: a desktop.ini that was copied from a network share, extracted from a ZIP archive, or written by a script inherits an Internet zone (zone 3) or Restricted Sites (zone 4) marker. Starting with the June updates, such files are treated as unsafe, and their customizations are suppressed. The folder icon snaps back to the generic yellow manila envelope.

The blocking is not cosmetic. When Explorer rejects a desktop.ini, the folder’s tooltip, infotip, and any LocalizedResourceName also vanish. Users who designed elaborate visual navigation systems—color-coded project folders, status-indicator icons, custom library aggregators—woke up to a sea of identical icons.

Security rationale

The Mark of the Web has been a cornerstone of Microsoft’s defense-in-depth since Windows XP Service Pack 2. Its primary job is to force untrusted content—executables, scripts, Office macros, and HTML applications—to pass additional scrutiny before they can interact with the system. Desktop.ini, while inert on its own, can point to a malicious icon handler DLL or a crafted thumbnail provider. An attacker who drops a weaponised desktop.ini into a shared directory could trick Windows into loading arbitrary code the moment Explorer renders the folder.

Microsoft’s security engineers have publicly flagged this attack surface before. In 2021, CVE-2021-31970 documented a remote code execution vulnerability via the icon display of a specially crafted folder. The June 2026 hardening aims to close the broader class of threats by treating desktop.ini with the same suspicion as any other file that influences the shell.

Impact beyond the screen

The immediate victim is the enthusiast community. Archives of custom icon packs on DeviantArt, GitHub, and WinCustomize are suddenly painful to deploy. Every desktop.ini shipped in a ZIP or RAR container lands with a zone identifier, rendering the pack useless until the user manually removes the stream. Scripts that automate folder personalisation—popular in IT departments for role-based shares—stopped working unless the scripts first strip the MotW or sign the file.

Corporate environments felt a sharper sting. Many organisations map drive letters to DFS shares that carry a zone identifier. Folders whose desktop.ini lived on a network share reverted to plain icons across entire departments. Support tickets surged within hours of the patch landing.

On Windows Server, the change affects how shared folder views are presented to end users. A file server that relied on desktop.ini to display a “Projects” icon instead of the default share icon now shows the share icon unless the administrator has taken explicit steps to whitelist the share.

Diagnosing the blockage

When a desktop.ini is suppressed, the system log records Event ID 1002 from source Microsoft-Windows-Shell-Core. The message reads: “The desktop.ini file in folder was not loaded because it is not trusted.” A handful of third-party shell extension developers have already updated their tools to flag these events.

PowerShell can pinpoint every affected file on a volume:

Get-ChildItem -Path C:\\ -Filter desktop.ini -Recurse -Force | 
  ForEach-Object {
    $stream = Get-Item -LiteralPath $_.FullName -Stream Zone.Identifier -ErrorAction SilentlyContinue
    if ($stream) { Write-Output $_.FullName }
  }

Each returned path still carries a zone marker and will be ignored until the stream is removed or the zone is upgraded to Local Machine.

Workarounds

Per-file unblock

The fastest fix for a single folder is the classic “Unblock” checkbox on the General tab of the file’s Properties dialog. Checking it deletes the Zone.Identifier stream and assigns zone 0. The catch: the checkbox only appears for NTFS volumes where the MotW is present, and only if the user has write permission on the stream.

Stream removal via command line

Administrators can strip the mark in bulk:

streams -s -d C:\\path\\to\\folder

or with PowerShell:

Get-ChildItem -Recurse -Force -Filter \"*.ini\" | Unblock-File

Both remove the Zone.Identifier, effectively vouching for the file’s safety.

Group Policy overrides

Organisations that centralise folder templates can push a site-to-zone mapping. Adding the network share to the Local Intranet zone (zone 1) or Trusted Sites zone (zone 2) in Internet Options > Security propagates to all clients and tells the shell to treat desktop.ini files originating from that share as trusted. The same result can be achieved through the Site to Zone Assignment List Group Policy, located under Windows Components\\Internet Explorer\\Internet Control Panel\\Security Page. Once the zone is elevated, the shell honors the desktop.ini immediately after a gpupdate /force and an Explorer restart.

A more aggressive registry override exists under HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations, where a new DWORD value LowRiskFileTypes can carry .ini. Setting it to 1 instructs the attachment manager to skip MotW checks for .ini files entirely. Microsoft does not document this key publicly, and it carries considerable risk—malicious .ini files from the internet will also bypass the check.

Disabling MotW for specific paths

With the July 2026 optional update (KB503xxxx), Microsoft added a new Group Policy: “Mark of the Web exclusions for desktop.ini.” The policy allows administrators to list folder paths where desktop.ini files should bypass the zone check. This provides the cleanest remediation but requires the optional update to be deployed.

Official response

A support engineer on the Microsoft Tech Community confirmed that the change is intentional and permanent. “The behavior you are seeing is by design. We are aware of the impact on custom icon deployments and are investigating ways to give admins more granular control without weakening the security boundary.” The statement stops short of promising a rollback.

The MSRC team categorised the change as a defense-in-depth measure, meaning it will not receive a CVE assignment and will appear only in the general release notes under “Security improvements.” The official guidance remains: “Only load desktop.ini from trusted sources.”

Community reaction

On the Windows forum, early adopters split into two camps. One praised the move as long overdue, pointing out that desktop.ini has been a vector for DLL side-loading attacks that rarely get patched. Another lamented the loss of a long-standing customisation tool that made Windows feel personal. “I’ve had the same icon pack since Windows 7. Now 90% of my folders are yellow blobs. I get the security angle, but a toggle would have been nice,” one thread read.

Third-party developers of icon management utilities moved quickly. Stardock released an update for IconPackager that automatically strips MotW from imported desktop.ini files. The open-source tool “FolderPainter” added a one-click “Make Trusted” button. These adaptations, while welcome, still place the burden on the end user to evaluate each file’s origin.

What comes next

The June 2026 update is unlikely to be reversed. The MotW integration aligns with Microsoft’s broader push toward “secure by default” that already covers macros, ActiveX controls, and VBScript. It also dovetails with the Smart App Control feature in Windows 11, which relies heavily on zone information to decide whether an application can run.

For the foreseeable future, anyone who wants custom folder icons will need to become fluent in zone identifier management. Power users will script around it; enterprises will deploy Group Policy exceptions; casual tinkerers may simply give up. The desktop.ini, once a silent paintbrush for the Windows shell, now carries a trust label. And that label changes everything.