Understanding the “inetpub” Folder in Windows 10/11 After April 2025 Update: Security Insights and Fixes

In the aftermath of the April 2025 Windows Update rollout, a seemingly innocuous folder named “inetpub” began appearing on Windows 10 and Windows 11 systems worldwide. Confusion reigned—after all, this empty directory, typically associated with web developers and Microsoft’s Internet Information Services (IIS), showed up even where IIS wasn’t enabled. Some users, referencing the absence of any mention in official release notes, went so far as to delete “inetpub,” suspecting it was a leftover from a botched update or, in more conspiratorial circles, an intentional but unexplained placement by Microsoft. However, digging beneath the surface quickly reveals that this folder is neither a bug nor a developer afterthought, but rather a key element of a critical security fix, one with significant implications for Windows security architecture and user best practices.

Understanding the Origins: “inetpub” and the April 2025 Update​

For those familiar with the Windows server and developer worlds, “C:\inetpub” is no stranger—it’s automatically created when IIS is enabled and serves as the root directory for web content. Yet its sudden, universal appearance on client versions of Windows 10 (with KB5055523 and subsequent patches) and Windows 11 (including the freshly minted 24H2 release) raised alarms. The folder, as verified by independent sources and confirmed by Microsoft’s technical documentation, was an intentional response to a new and serious security threat, tracked as CVE-2025-21204—a symbolic link resolution vulnerability within the Windows Update stack.

Why Does “inetpub” Matter?​

The CVE-2025-21204 vulnerability is significant: it involves improper symbolic link handling before file access, more specifically, “link following” in the Windows Update Stack. Without proper controls, this flaw could potentially be exploited by a local attacker to trick Windows Update into accessing or modifying files beyond its intended scope. This opens up avenues for privilege escalation or even unauthorized data modification. In Microsoft’s own (recently updated) documentation, the creation of the “inetpub” folder, with tightly controlled Access Control Lists (ACLs), forms a part of the security patch’s mitigation strategy.
Thus, even if IIS is not installed, removal or alteration of the “inetpub” folder post-update can leave the system in a vulnerable state—a subtle detail that was initially omitted from release notes and subsequently led to user confusion and accidental deletions.

Verifying the Claims: Release Documentation and Security Advisories​

At first glance, Windows’ silence about “inetpub” in its official update changelogs felt suspicious. However, recent updates to Microsoft’s documentation and support channels provide unambiguous confirmation: the folder’s creation is intentional, directly tied to the patch for CVE-2025-21204. Independent reporting by WindowsLatest and other trusted outlets has cross-validated this with Microsoft’s own statements.
To summarize, authoritative sources independently agree on the following points:

• “inetpub” is created post-April 2025 as part of the update process, regardless of whether IIS is enabled.
• The folder’s existence, along with specific ACLs, is required by the CVE-2025-21204 security fix.
• Deletion or incorrect permissions nullify the effectiveness of the patch and could re-expose vulnerable systems.
• Microsoft provides official guidance, updated as of late May 2025, for safely restoring the folder if deleted.

The Risk of Deletion: What Can Go Wrong?​

Deleting “inetpub”, or restoring it incorrectly, essentially unravels the patch’s intended protective mechanism. The risk here isn’t just cosmetic: without the correct ACLs, Windows Update could inadvertently follow symbolic links to sensitive locations, catalyzed by malicious actors seeking to exploit this oversight through privilege escalation. In the enterprise or administrative context, this represents a non-trivial risk—it can be a gateway to lateral movement, credential theft, or data tampering.
Security experts have consistently emphasized, both in Microsoft’s forums and in third-party advisories, the importance of leaving system-created security artifacts untouched unless official guidance states otherwise. The situation with “inetpub” stands as a textbook example: user intervention, in the absence of information and clarity, introduces avoidable security regressions.

Microsoft’s Remediation: From IIS Workarounds to a Purpose-Built Script​

Initially, Microsoft suggested that users could safely recreate “inetpub” by temporarily enabling IIS via Control Panel. While technically sound, this workaround came with caveats: IIS setup generates additional folders and configuration bloat that most non-developers don’t need, and the process itself is needlessly complex for the average end user.
Acknowledging the awkwardness—and after user feedback—Microsoft quietly published an official PowerShell script, Set-InetpubFolderAcl.ps1, to streamline the process. Available via the PowerShell Gallery and released on May 28, 2025, this script is now the company’s recommended means of restoring both the folder and its all-important security settings, without enabling superfluous services or features.

Step-by-Step: Safely Restoring “inetpub” with PowerShell​

The process, as described in both Microsoft’s support documentation and reported by outlets like WindowsLatest, is straightforward yet merits careful attention:

• Run PowerShell as Administrator: Elevated permissions are required due to system-level changes.
• Set Execution Policy (Temporary):
  Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
  This allows the script to run without overwriting user or system-wide policy.
• Install the Script:
  Install-Script -Name Set-InetpubFolderAcl -Force
  Pro tip: If prompted, allow the installation of the NuGet provider.
• Run the Script:
  Set-InetpubFolderAcl
  If the command is not found, invoke it from its installed path:
  & "C:\Program Files\WindowsPowerShell\Scripts\Set-InetpubFolderAcl.ps1"
  This restores “inetpub” and sets ACLs to match those expected by the April 2025 security update, re-enabling the fix for CVE-2025-21204.

Critical Analysis: Security Through Obscurity or Transparent Patch?​

While Microsoft’s engineering response—a script that elegantly sidesteps unnecessary complications—is commendable, the handling of the initial rollout merits critical scrutiny. The absence of upfront communication about the purpose and requirement for “inetpub” left users in the dark, with many assuming the folder was either vestigial or the byproduct of a silent install gone awry.

Key Strengths​

• Rapid Remediation: As soon as user confusion became widespread, Microsoft provided both official confirmation and a path to remediation via the PowerShell script.
• Minimized User Friction: The scripted fix avoids the need for enabling unnecessary Windows features, respecting user configurations.
• Security Posture: By enforcing proper ACLs, Microsoft closed off a clear privilege escalation vector.

Potential Risks and Weaknesses​

• Communication Breakdown: The delay in updating release notes and documentation fostered an information vacuum, which is always exploited by skepticism and, worse, by bad actors issuing unofficial “fixes.”
• Overreliance on User Diligence: Many users are not equipped to interpret the security relevance of a single directory and may ignore or counteract patches if guidance is unclear.
• Script Trust Model: While the script is signed and distributed via the official PowerShell Gallery, users less familiar with command-line interfaces or wary of changing execution policy may still hesitate to use it, leaving the security gap unaddressed.

Best Practice: A Blueprint for Future Rollouts​

This episode demonstrates a broader lesson for IT professionals and Microsoft alike: transparency and proactivity in change management, especially when it comes to system security, must take precedence. Users, whether home enthusiasts or enterprise admins, should:

• Read official patch notes and seek confirmation before deleting unfamiliar system objects post-update.
• Rely on signed and vetted scripts from trusted sources—the PowerShell Gallery, in this case, offers provenance tracking and digital signatures.
• Report anomalies to Microsoft or reputable forums—community vigilance remains an invaluable failsafe.

Frequently Asked Questions: Clearing the Confusion​

Do I need to restore “inetpub” if I never deleted it?​

No further action is needed if the folder is present since the April 2025 update and has never been altered.

What if I changed the folder’s permissions manually?​

To ensure CVE-2025-21204 is effectively patched, run the official PowerShell script, which will reapply the correct ACLs.

Will future updates fix this automatically?​

There is no official indication of retroactive correction—manual remediation appears necessary for systems where the folder has been deleted or altered.

Is the script safe to run?​

Yes, provided it is downloaded and executed exactly as instructed, from the Microsoft PowerShell Gallery. Avoid running scripts from unofficial sources.

Implications for Enterprise and Home Users​

For enterprises, especially those with centralized patch management, immediate remediation is critical. Endpoint management policies should prohibit manual tampering with system folders post-update, and periodic compliance scripts should check for the presence and correctness of “inetpub” and ACLs.
Home users, while less likely to be targeted by sophisticated link-following attacks, still bear the burden of vigilance. As more “non-obvious” patches adopt a similar pattern—deploying system artifacts unexpectedly—users must be equipped with both context and support.

Looking Ahead: Lessons from CVE-2025-21204 and the “inetpub” Story​

This incident is a stark reminder that even experienced users can trip over the nuances of modern security architecture. “inetpub”, far from being an innocuous or expendable directory, is now a linchpin for the proper application of a critical Windows Update fix.
For Microsoft, the episode highlights both the rigor and rapidity required in modern OS development—security responses must be transparent, well-documented, and accessible at every stage of the deployment. Failure to communicate clearly turns even the best-intentioned fix into a liability.
For the Windows community, the takeaway is equally clear: “don’t delete what you don’t understand” may sound simplistic, but in the context of cumulative updates and zero-day mitigations, it is sage advice.

The Bottom Line​

“inetpub” serves as both a technical and symbolic reminder: security, in today’s complex OS landscape, is as much about thoughtful implementation as it is about user education and communication. Microsoft has, in the end, provided the tools and the guidance to keep users safe—but it’s up to the community to stay informed, skeptical (in a healthy sense), and above all, proactive.
Should you restore “inetpub” if you deleted it after April 2025’s Windows Updates? Absolutely—from both an engineering and a security standpoint, Microsoft’s logic is sound and the risk of leaving your system exposed is too great to ignore. By following Microsoft’s official script-based remediation, you ensure your system remains protected against a subtle, but potentially dangerous, privilege escalation vector—one that, thanks to transparency and community feedback, is now thoroughly understood, and entirely fixable.

---

Source: Windows Latest Microsoft: Run PS script now if you deleted "inetpub" on Windows 11, Windows 10