Updated

Updated · Windows Central · Jun 11

Microsoft Blocks Untrusted desktop.ini in Windows 11 and 10, Removing Custom Folder Icons

Updated

Updated · Windows Central · Jun 11

Microsoft Blocks Untrusted desktop.ini in Windows 11 and 10, Removing Custom Folder Icons

Q: Was this Windows security fix rolled out silently to combat an active threat?

Yes — but not as an emergency out-of-band patch for a new zero-day. The June 2026 Windows update did quietly change behavior by making Explorer ignore `desktop.ini` files from untrusted sources, and reporting indicates Microsoft did not prominently flag the change before users noticed missing custom folder icons and localized names. It arrived through the normal Patch Tuesday cumulative updates, not a separate urgent release. The evidence suggests the change was meant to reduce a real, known attack surface rather than respond to a brand-new crisis. The additional material ties the hardening to a long-standing Windows Shell weakness in how `desktop.ini` can be parsed, a flaw documented for years and reportedly used in real-world attacks, including by the OceanLotus threat group. That gives Microsoft a concrete security reason to act. So the fix was “silent” mainly in the sense of being a low-profile behavioral change inside a routine security update. It was aimed at blocking abuse of a feature that had documented exploitation history, especially for files carrying Mark-of-the-Web or coming from remote and untrusted locations. What is not supported by the available information is the idea that Microsoft rushed this out because of a currently unfolding mass attack. The update looks more like preventive hardening against an old but credible threat vector than a covert response to an active emergency.

1 articles · Updated · Windows Central · Jun 11

June 2026 security updates for Windows 11 and Windows 10 now ignore desktop.ini files from untrusted sources, so some folders lose custom icons or localized names even though the folders still work normally.
Microsoft says the change is intentional hardening: files tagged with Mark-of-the-Web, some WebDAV locations and certain network paths can no longer alter folder presentation because those cosmetic changes could disguise malicious content.
Trusted customizations can be restored by adding internal sources to Trusted Sites, removing the Mark-of-the-Web tag with PowerShell, or enabling a Group Policy that allows remote-path shortcut icons.
That policy brings back previous behavior but weakens protection, underscoring Microsoft's broader shift toward limiting older Windows features when they create security risks.