KB5094126 and KB5093998 Introduce New Desktop.ini Security Restrictions in Windows

Microsoft’s June 2026 Patch Tuesday updates fixed more than 200 security vulnerabilities across Windows, but the company also introduced a lesser-known change that could affect how customized folders appear on some systems.

Alongside the security fixes, Microsoft confirmed that some custom folder names, icons, and folder presentations defined through desktop.ini files may no longer appear after installing the June updates.

Windows now blocks some desktop.ini customizations from untrusted sources

According to Microsoft, the change is part of a security hardening effort designed to reduce risks associated with folder customization files.

Windows will now treat certain desktop.ini configurations as potentially unsafe when it cannot verify their origin or trust status. As a result, custom folder names and visual modifications may not load if the associated desktop.ini file comes from an untrusted location.

The new behavior affects several scenarios, including:

• Files downloaded from the internet that contain Mark-of-the-Web (MOTW) metadata.
• Files copied from some WebDAV or HTTP-based remote locations.
• Network shares and remote paths that are not classified as intranet or trusted locations through Windows zone policies.

For many users, the change may go unnoticed. However, organizations that rely on customized network folders could see some folder labels, icons, or other visual customizations disappear after installing the updates.

Why Microsoft changed desktop.ini handling

Desktop.ini is a special Windows configuration file that allows administrators and users to customize how folders appear in File Explorer. The file can define folder names, icons, localized text, and other presentation settings.

Because Windows Shell automatically processes desktop.ini files, Microsoft considers them a potential attack surface. The company noted that attackers have historically abused folder customization mechanisms to trigger unexpected or unsafe behavior.

In some older attack scenarios, malicious or malformed attributes inside a desktop.ini file could contribute to vulnerabilities such as buffer overflows or other memory corruption issues. In the worst case, such flaws could potentially lead to arbitrary code execution under the permissions of the logged-in user.

How administrators can restore previous behavior

Microsoft recommends keeping the new protections enabled whenever possible. The preferred solution is to add known internal or managed sources to the Trusted Sites zone.

Once a source is trusted, Windows will continue processing desktop.ini customizations normally while maintaining protections for unknown locations.

Organizations that require broader compatibility can restore the previous behavior through Group Policy by enabling the “Allow the use of remote paths in file shortcut icons” setting.

Enabling this policy restores pre-June 2026 behavior for affected remote and untrusted folder customization scenarios.

However, Microsoft warns that broad opt-outs weaken the security improvements introduced in the June updates. The company recommends removing Mark-of-the-Web metadata only from trusted content and limiting trust settings to controlled internal sources whenever possible.

The June updates have already generated additional reports from users. Microsoft recently acknowledged that some systems may enter BitLocker recovery after installing KB5094127, while certain Windows 11 24H2 and 25H2 devices may encounter issues installing future cumulative updates.

Via Neowin