Microsoft confirms Windows April 2025 security update creates 'inetpub' folder
Take action: This is not an advisory in itself, but a weird guidance for all Windows users - The April 2025 Windows Update creates c:\inetpub folder, apparently for "security purposes". No details are provided, but it needs to be remain there - confirmed by Microsoft. Read up on the advisory and linked details. It is what it is.
Learn More
Microsoft has confirmed that the April 2025 Windows security update intentionally creates a new empty "inetpub" folder on users' systems and has explicitly warned users not to delete it. This folder, typically associated with Microsoft's Internet Information Services (IIS) web server platform, is appearing on Windows systems even when IIS is not installed.
BleepingComputer verified this behavior on both Windows 11 and Windows 10 systems, noting that the cumulative update creates the folder using the SYSTEM account. While deleting the folder did not immediately cause any operational issues during their testing, Microsoft has officially stated that this empty folder has been intentionally created as part of a security measure and should remain on users' systems.
The creation of this folder appears to be related to a Windows Process Activation elevation of privilege vulnerability:
- CVE-2025-21204 - A vulnerability caused by an improper link resolution issue before file access ('link following') in the Windows Update Stack.
According to user reports, the April cumulative updates will fail to install if the C:\inetpub directory already exists prior to update deployment. Microsoft has updated their advisory for CVE-2025-21204 to clarify that "this folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device" and that "this behavior is part of changes that increase protection and does not require any action from IT admins and end users."
For users who have deleted the inetpub folder, Microsoft offers a method to recreate it:
- Access the "Turn Windows Features on or off" control panel
- Install Internet Information Services
- This will create a new inetpub folder in the C: drive root (with files included)
- If IIS is not needed, it can be uninstalled through the same control panel
- After a system reboot, the software will be removed but the C:\inetpub folder will remain
Microsoft has not provided details explaining how the inetpub folder "increases protection" or its exact purpose in the security update.
