The mysterious inetpub folder is actually a crucial part of a Windows security fix
Remember the odd inetpub folder that seemingly randomly appeared on people's root drives after installing a Windows 11 update? Everybody assumed it was something left over from an update script, and that the folder was safe to remove. Well, it turns out that's not the case, as the empty folder is actually a crucial part of a security fix for a serious vulnerability.
Initially undocumented in the official release notes, the empty and seemingly inactive inetpub folder led to user speculation about whether it was a leftover artifact from development or a bug. Microsoft has since clarified that the folder is intentional and part of a critical security improvement.
The change addresses CVE-2025-21204, a vulnerability that allowed local attackers to exploit symbolic link (symlink) attacks via Windows Update, potentially granting unauthorized access to protected system files or directories. As part of the fix, the system pre-creates certain directories - including C:\inetpub - to harden the update process and mitigate such attacks.
Cyberdom
If you've already removed the folder, you can reinstall the April 2025 cumulative update to restore the folder, or you can wait for next month's update roll-up, which will also restore the folder.
This lone, empty folder at your Windows PC's root is apparently a crucial part of the security of your computer, but since it took Microsoft a while to publish release notes, nobody knew where it was coming from. The idea that a random, empty folder usually associated with IIS could be part of a vulnerability mitigation didn't cross anybody's mind at the time, especially since random folders appearing at a Windows PC's root aren't exactly uncommon or out of the ordinary.
The consensus seems to be that creating this folder is a pretty clever form of mitigation, despite feeling so hacky. I'm assuming Microsoft's engineers are capable, and that making the folder in question impossible to delete or somehow hidden is simply not an option and would break the vulnerability mitigation, but that doesn't change the fact that this looks like a really crude hack that should be solved in a more elegant way.