Windows 11: Microsoft warns do not delete inetpub folder after causing confusion

Microsoft has warned that users must not delete “inetpub” folder on Windows 11 after the April 2025 Update created it. This folder was initially assumed to be a bug in Windows 11 KB5055523 and other April 2025 cumulative updates, including Windows 10. It turns out it’s an intentional change, but Microsoft forgot to document it—until users discovered it and the confusion blew up.

On April 8, Windows Latest spotted that Windows 11 24H2 had quietly created a folder called “inetpub” out of nowhere. The “inetpub” is not a random name because it’s typically created when you use IIS (Internet Information Services) to host websites or apps on Windows 11, but now it shows up on PCs even when you don’t have the folder.

Technically, as per Microsoft’s own documentation, “inetpub” folder is created and used to manage IIS (Internet Information Services) logs. When the IIS feature is turned on to develop web apps or apps, Windows creates a new directory C:\inetpub\logs\LogFiles, so you can see the logs when locally hosting websites or apps.

After users installed KB5055523 or other April 2025 updates, they noticed a new empty folder, “inetpub,” with zero bytes of size in the system drive. The folder is created even when we don’t use the IIS feature. This was initially assumed to be an issue in Windows 11 KB5055523 and other updates.

However, it turns out that the “inetpub” folder has been intentionally created as part of a security patch.

Microsoft told me you’re not supposed to remove the folder even if Windows 11 allows you to. That’s because it’s linked to a security patch for a bug titled “CVE-2025-21204“, which is a flaw that allows attackers to modify the system files or folders.

“The CVE-2025-21204 security flaw is caused by an improper link resolution issue before file access (‘link following’) in the Windows Update Stack which likely means that, on unpatched devices, Windows Update may follow symbolic links in a way that can let local attackers trick the system into accessing or modifying unintended files or folders,” Microsoft noted in its advisory.

Unfortunately, Microsoft’s original advisory and other support documents failed to explain that an “inetpub” folder will be created when you install Windows 11 April 2025 Updates, and you’re not supposed to delete it.

Today, after causing confusion among users, Microsoft finally corrected the mistake. It quietly updated the support document to clearly state that the “inetpub” folder was intentionally created as part of its efforts to patch the above-mentioned vulnerability (CVE-2025-21204).

“After installing the updates listed in the Security Updates table for your operating system, a new %systemdrive%\inetpub folder will be created on your device,” Microsoft noted in a support document spotted by Windows Latest.

“This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. This behaviour is part of changes that increase protection and does not require any action from IT admins and end users,” the company added.

What to do if you removed the “inetpub” folder assuming it to be a bug?

There’s no need to panic if you’ve already removed the %systemdrive%\inetpub folder assuming it to be an issue with Windows 11. After all, it was Microsoft’s fault that the changes in the release notes were not correctly clarified.

Regardless, if you removed the folder, you must restore it, and this can be done by turning on IIS (Internet Information System) from the Optional Features page:

1. Open Control Panel > Programs > Programs and Features.
2. “Turn Windows features on or off” on the left-hand side.
   
3. In the dialog box, scroll down and check the box next to “Internet Information Services.”
4. Click OK, and Windows will recreate the inetpub.

Once IIS is installed, you don’t need to make additional changes to Windows 11. This will restore the folder.

Microsoft told Windows Latest that users need to follow the above steps if they have accidentally deleted the folder. This empty folder must remain present on the Windows 11 system partition ( %systemdrive%\inetpub) for the security patch to work correctly. The folder provides “increased protection.”

According to Microsoft, turning on IIS creates the same folder with the same protection, and your PC is not vulnerable.

Update: Microsoft will not explain why the empty folder is required to apply the security fixes.