When a routine Windows patch arrives, most users expect minor tweaks, bug fixes, and perhaps the occasional driver update—not the sudden appearance of a mysterious new system folder. Yet this is what thousands of Windows 10 and 11 users observed following the Windows 2025 April Patch Tuesday update, which deposited an empty
The abrupt emergence of the
To fully appreciate the significance of this episode, it’s crucial to understand what the
Microsoft’s official response, as confirmed by both the Windows Report and Microsoft Security Response Center (MSRC) advisories, is clear: the sudden creation of the
Thus, on any system with KB5055528 installed (the relevant update package), Windows checks for the presence of
As Microsoft itself cautions: If the %systemroot%\inetpub directory has been deleted after the Patch Tuesday update, immediate remediation is required. Microsoft has released a PowerShell script,
To clarify the process:
Security professionals point out a common pitfall: the more complex the OS’s internal machinery, the more moving parts there are to monitor for both administrators and defenders. When crucial compliance steps become invisible (or counter-intuitive, such as the requirement to keep an unfamiliar system directory), there is room for confusion and accidental weakening of the intended security posture.
Step-by-Step: Restoring the
For any user or IT administrator who deleted the folder—deliberately or by accident—the recovery process is relatively straightforward but does require elevated permissions. Microsoft’s remediation employs a PowerShell script, which performs the following:
For IT departments, this means paying closer attention to patch documentation and emerging advisories, rather than relying solely on traditional "if you don’t use it, remove it" routines. Enterprise images, group policies, and endpoint management scripts may need updating to accommodate these new requirements.
For individual users, it’s a signal that not every unfamiliar directory signals trouble—and that rapid deletion, absent context, can occasionally do more harm than good.
Industry experts widely agree that security is a journey, not a destination. These kinds of changes are likely to become more common as threat actors continue to probe and exploit edge-case privilege escalation opportunities. For all its messy complexity, the situation is a testament to the ongoing, real-time evolution of security strategy in the world’s most-used desktop OS.
For now, administrators and users alike should focus on keeping systems up to date, applying Microsoft’s official scripts where needed, and maintaining an open line of sight between emerging security advisories and day-to-day management habits. As Windows continues to shift and evolve, so too must the attitudes and practices surrounding what makes a system not just usable, but truly secure.
Ultimately, the best defense is an informed, proactive user—backed by software vendors who understand the value of clear, consistent dialogue about what’s happening under the hood. As with so many cybersecurity issues, knowledge is the greatest safeguard of all.
Source: Windows Report Deleted the inetpub folder on Windows 10/11: Here's what you need to do
C:\inetpub directory onto their drives. To make matters more perplexing, this happened even on systems where Internet Information Services (IIS)—Microsoft's web server software—was never installed or used.The abrupt emergence of the
inetpub folder has led to forum debates, concern about malware, and for many, the quick decision to simply delete the unfamiliar directory. However, the situation underscores a vital intersection between automated security measures and user awareness, raising questions about trust, transparency, and the evolving attack surface in modern Windows environments.
inetpub Folder
To fully appreciate the significance of this episode, it’s crucial to understand what the inetpub folder typically does. Traditionally, C:\inetpub serves as the default storage location for web content and logs when IIS is installed. On most consumer systems, where IIS isn’t enabled by default, this folder never appears. So why now, and why everywhere?Microsoft’s official response, as confirmed by both the Windows Report and Microsoft Security Response Center (MSRC) advisories, is clear: the sudden creation of the
inetpub folder is not a mistake, nor is it evidence of compromise. Instead, it’s an intentional part of a wider security fix—specifically, a mitigation of CVE-2025-21204, a moderate-severity privilege escalation vulnerability within the Windows OS.The Security Context: CVE-2025-21204
According to Microsoft's advisory, CVE-2025-21204 presented a pathway for attackers to elevate privileges on affected systems, potentially giving malicious actors more control or access than intended. As part of the urgent response, April’s security update included not only a patch but also a remediation script to ensure the correct folder and permission structures are established—even on devices where IIS isn’t running.Thus, on any system with KB5055528 installed (the relevant update package), Windows checks for the presence of
C:\inetpub and, if absent, silently creates it. This is meant to close off privilege escalation vectors that an attacker might exploit. While this is effective from a security hardening standpoint, the lack of prior user communication left the door open to confusion and alarm.What Happens If You Delete the Folder?
Given the folder is empty for most and not serving an active function, many assumed it was safe—or even preferable—to remove it. Therein lies a subtle but significant procedural misstep.As Microsoft itself cautions: If the %systemroot%\inetpub directory has been deleted after the Patch Tuesday update, immediate remediation is required. Microsoft has released a PowerShell script,
Set-InetpubFolderAcl.ps1, to properly restore the folder and its required permissions. This script checks for, creates as necessary, and configures the inetpub directory with default IIS permissions. It also recognizes scenarios where inherited directories (such as DeviceHealthAttestation) exist and applies correct access control lists (ACLs) accordingly.To clarify the process:
- If the directory is missing, the script recreates it and sets permissions.
- If present (but empty or only with specific subdirectories), permissions are reset.
- If the folder structure includes unexpected subfolders, the script exits without making changes—this is a safeguard to prevent disruption on servers where IIS is actively serving content.
Risks and Criticism: Security vs. Usability
Some security researchers, as reported by Windows Report, have warned that this security measure—while defensive—could inadvertently be leveraged for sabotage by malicious actors. Specifically, blocking or corrupting the creation of theinetpub folder could potentially interfere with the application of future security updates, creating a new attack surface. Microsoft, for its part, rates the vulnerability as moderate and considers the fix sufficient, but the dialogue highlights the inherent friction between rapid, system-wide mitigations and their unintended side effects.Security professionals point out a common pitfall: the more complex the OS’s internal machinery, the more moving parts there are to monitor for both administrators and defenders. When crucial compliance steps become invisible (or counter-intuitive, such as the requirement to keep an unfamiliar system directory), there is room for confusion and accidental weakening of the intended security posture.
Step-by-Step: Restoring the inetpub Folder
For any user or IT administrator who deleted the folder—deliberately or by accident—the recovery process is relatively straightforward but does require elevated permissions. Microsoft’s remediation employs a PowerShell script, which performs the following:- Directory Check and Creation: If
C:\inetpubdoes not exist, it is created. - Permissions Assignment: The script sets the folder's permissions to match those expected by IIS and the OS. This generally involves:
- Granting
SYSTEMandAdministratorsfull control - Setting appropriate read/execute rights for
IIS_IUSRS(if present) and other system accounts - Handling Subfolders: If
DeviceHealthAttestation(a folder used for device health attestation services) is also present, its permissions are likewise reset. - Safeguards for Customization: If other subfolders are found, the script makes no changes—avoiding accidental permission shifts on production IIS servers.
| Scenario | Script Action |
|---|---|
| Folder deleted/missing | Created + permissions applied |
| Folder exists, empty | Permissions applied |
| Folder exists, only DeviceHealthAttestation present | Permissions applied to both directories |
| Folder contains other subdirectories | No changes (script exits) |
Broader Implications for Windows Security Patching
This episode illustrates how the growing complexity of Windows security infrastructure occasionally conflicts with user expectations or standard system hygiene practices. The automated creation and protection ofC:\inetpub is a logical, if inelegant, safeguard given the underlying CVE—but it also demonstrates Microsoft’s increasingly assertive approach to remediation.For IT departments, this means paying closer attention to patch documentation and emerging advisories, rather than relying solely on traditional "if you don’t use it, remove it" routines. Enterprise images, group policies, and endpoint management scripts may need updating to accommodate these new requirements.
For individual users, it’s a signal that not every unfamiliar directory signals trouble—and that rapid deletion, absent context, can occasionally do more harm than good.
Practical Advice for Windows Users and Admins
Here’s how users and sysadmins should navigate this situation:- Don’t Panic: The presence of
C:\inetpubafter this update is expected—even without IIS enabled. - Don’t Delete the Folder: Deletion triggers a need for manual remediation. Retain the folder to ensure continued system security.
- If Already Deleted: Use Microsoft’s PowerShell script as soon as possible to restore intended permissions and close the security gap. Always run scripts obtained from official Microsoft sources and verify digital signatures where possible.
- Monitor Patch Notes: Each Patch Tuesday will continue to bring changes, many of which affect areas “under the hood.” Stay up-to-date with both the official changelogs and trusted tech journalism.
- Document Customization: If running IIS or customizing Windows for specialized uses, audit changes and backup configurations prior to major updates.
A Case Study in Communication and Trust
The broader lesson is not technical, but organizational. This episode has exposed a soft spot in the feedback loop between Microsoft and its user base: when system-level changes are made quietly, even in the name of security, they risk eroding user trust. Transparent, timely, and accessible communication—especially when unexpected changes occur—builds confidence and, ultimately, a more resilient Windows ecosystem.Industry experts widely agree that security is a journey, not a destination. These kinds of changes are likely to become more common as threat actors continue to probe and exploit edge-case privilege escalation opportunities. For all its messy complexity, the situation is a testament to the ongoing, real-time evolution of security strategy in the world’s most-used desktop OS.
Conclusion: Lessons Learned and Looking Forward
The appearance—and consequences—of theinetpub folder following April’s Windows update is more than a small quirk: it’s a window into the delicate balancing act of secure, comprehensible, and user-friendly operating system maintenance. While the technical fix for CVE-2025-21204 is straightforward, the incident will likely be remembered not for its code, but for its communication missteps and the unintentional anxiety it caused among Windows users.For now, administrators and users alike should focus on keeping systems up to date, applying Microsoft’s official scripts where needed, and maintaining an open line of sight between emerging security advisories and day-to-day management habits. As Windows continues to shift and evolve, so too must the attitudes and practices surrounding what makes a system not just usable, but truly secure.
Ultimately, the best defense is an informed, proactive user—backed by software vendors who understand the value of clear, consistent dialogue about what’s happening under the hood. As with so many cybersecurity issues, knowledge is the greatest safeguard of all.
Source: Windows Report Deleted the inetpub folder on Windows 10/11: Here's what you need to do