Microsoft Releases PowerShell Script to Restore Critical C:\inetpub Folder in Windows 11

Microsoft has released a PowerShell script called **Set-InetpubFolderAcl**, which generates the **C:\inetpub** folder if it has been removed on Windows 11. This action is essential even if Internet Information Services (IIS) is not present on the system, as the folder should not be deleted for security reasons.

In a dedicated script aimed at system administrators, Microsoft assists in recreating this folder using the following commands:

«`powershell
Install-Script -Name Set-InetpubFolderAcl
C:\Program Files\WindowsPowerShell\Scripts\Set-InetpubFolderAcl.ps1
«`

According to the company, this script is designed to configure the correct IIS permissions to prevent unauthorized access and mitigate potential vulnerabilities associated with **CVE-2025-21204**. This vulnerability pertains to improper handling of symlink permissions within the Windows update stack. It likely indicates that the Windows Update Center may follow symlinks on unpatched devices (for instance, those lacking the KB5055523 update) in ways that could allow local attackers to trick the OS into accessing or intentionally altering files or folders. Microsoft asserts that if successfully exploited, attackers with low-level privileges could escalate their rights within the system and manipulate or perform file management operations under the NT AUTHORITY\SYSTEM account.

In early April 2025, Microsoft clarified that the empty folder was intentionally created on users’ PCs and specified that April’s cumulative updates for Windows would not be installed if the **C:\inetpub** directory was present before deploying update KB5055523.

«This folder should not be removed regardless of whether Internet Information Services (IIS) are enabled on the target device. This behavior is part of security enhancements and does not require any action from system administrators or end users,» Microsoft stated. The company did not elaborate on how the existence of an empty inetpub folder would enhance the security of Windows PCs.

Previously, users reported that update KB5055523 for Windows 11 created the **C:\inetpub** folder on their PCs, even if the Internet Information Services (IIS) was not enabled in the system.

The inetpub folder is the default directory for Microsoft’s Internet Information Services (IIS), containing subdirectories necessary for IIS operation—for example, the **wwwroot** subfolder is meant to hold files to be published on the web server via HTTP and the **ftproot** for FTP, among others.

Notably, the inetpub folder is empty after the installation of KB5055523. Ownership of the folder is attributed to the SYSTEM account, indicating that it was created by a process with elevated privileges, in this case, the cumulative update.

While the presence of this folder does not impact system performance or stability, its unexpected creation raised questions among users about whether this was a new feature introduced with the update or merely a result of an error. Deleting the folder has not caused any issues for Windows 11 users.