Microsoft has changed how the File Explorer preview pane behaves in Windows, closing a low‑interaction path to NTLM credential exposure. Beginning with updates released on October 14, 2025, preview rendering is automatically disabled for files that originate from the Internet or reside in locations treated as untrusted network zones, reducing the chance of NTLM hash leakage when a user merely selects a file.
What changed in Windows 11 and Windows Server
The new behavior targets two object categories: files stamped with Mark of the Web (MotW) and content stored in network locations that Windows classifies as the Internet zone. For these items, the preview pane no longer renders content. Instead, Explorer displays a warning indicating the file may be unsafe and advising users to open it explicitly if they trust the source.
Local files and items in trusted locations continue to preview as before. The change specifically addresses scenarios where passive previewing could trigger network calls without the user opening the file.
Why the NTLM preview risk matters
Some previewable formats can contain embedded references to external resources (for example, HTML fragments or metadata that reference remote SMB/WebDAV paths). When previewed, Windows may attempt to fetch those resources and negotiate NTLM authentication, sending a challenge–response hash that can be intercepted or relayed by an attacker. Critically, this can occur on simple selection in File Explorer, creating a near zero‑interaction path to credential compromise.
This forced‑authentication class of issues is well documented in industry guidance and real‑world cases. For example, Microsoft’s 2023 Outlook vulnerability CVE‑2023‑23397 demonstrated how background authentication could be abused to leak NTLM hashes. MITRE ATT&CK also describes adversary‑in‑the‑middle and relay techniques involving NTLM. See: Microsoft NTLM overview, MSRC: CVE‑2023‑23397, and MITRE ATT&CK T1557.
Mark of the Web and security zones: how Windows decides
MotW is a Windows feature that stores a Zone.Identifier alternate data stream (ADS) on files downloaded from external sources. That tag informs security decisions across the OS, including Microsoft Defender SmartScreen and protected modes in applications. With this update, Windows now uses MotW and zone mappings to block preview rendering for potentially risky content, which limits silent remote fetches and reduces NTLM exposure. See: Alternate Data Streams and SmartScreen overview.
Availability and safe ways to allow preview
The change is available for supported builds of Windows 11 and Windows Server once the October 2025 cumulative updates are installed. In legitimate workflows, users can opt in to preview by removing the Internet mark from a specific file: open Properties, on the General tab select Unblock, and confirm. Administrators can also designate trusted network paths through Trusted Sites in Internet Options or via Group Policy zone mappings for controlled exceptions.
Organizations should apply exceptions sparingly and only for vetted sources. Broadly trusting network locations can reintroduce forced‑authentication risks.
Enterprise security recommendations that complement the change
Blocking preview removes a silent rendering vector, but comprehensive defense requires layered controls. Consider the following measures:
– Enable and tune Network security: Restrict NTLM; prioritize Kerberos where possible and phase out legacy NTLM. See: Mitigating NTLM relay attacks.
– Turn on Windows Defender Credential Guard and require SMB signing to resist relay and tampering. See: Credential Guard and SMB signing overview.
– Use Attack Surface Reduction (ASR) rules and SmartScreen to block untrusted content and limit risky behaviors. See: ASR rules.
– Employ digital signatures for internal documents and managed file‑exchange channels, which can safely eliminate MotW where appropriate.
– Train users to recognize the risks of “files from the Internet” and to avoid working with them from untrusted network shares.
Microsoft’s update is a pragmatic balance between usability and security: it removes a common, low‑interaction attack path in the File Explorer preview pane while preserving clear, controllable ways to trust known files and locations. Enterprises that rely on previewing downloaded content should adjust processes accordingly and combine this change with NTLM hardening, credential protection, and signed transport to materially reduce the likelihood and impact of NTLM hash leaks and relay attacks.
