Since October 14th, 2025, Microsoft has disabled previews in Windows File Explorer, for at least all downloaded files from the Internet and stored on network shares.1 Attackers could capture NTLM hashes simply by viewing the preview.
I had to smile. It’s as if Microsoft had read my blog post “Why Every Windows AD Should Be Kept Offline” earlier this month,2 where I discussed exactly this kind of NTLM leakage.
Of course, it’s generally better when digital processes don’t rely on handling loose files - not from the internet, not from any network share. For years I’ve recommended completely disabling the preview function via the appropriate Group Policies (GPO). That’s always been a topic of debate among users, admins, and decision-makers.
Once again, it’s typical Microsoft patchwork.
A maximally harmful, yet ineffective measure:
- The conflict with users is inevitable.
- The admins have to clean up the mess.
- The actual problem remains unsolved.
Bravo!
Yours,
Tomas Jakobs