[German]On April 2025 Patchday, there was confusion under Windows 10/11 about a folder "inetpub" that had been created. Some users deleted this folder, although Microsoft requires it. Microsoft has now released a "repair" script that restores this folder on the Windows system partition.
What is inetpub all about?
After the April 2025 patch day (April 8, 2025), there was an increase in complaints from Windows users who suddenly saw an "inetpub" folder created on their Windows drive by the installed update. The April 2025 updates for Windows 10 (2019 and 22H2) and Windows 11 (23H2 and 24H2) were responsible.
The empty "inetpub" folder was created on the drive for security reasons to mitigate the vulnerability CVE-2025-21204 exploited by the Lumma malware. Microsoft wrote in the FAQ on the vulnerability that the new folder %systemdrive%\inetpub created on the device by the updates should not be deleted. This applies regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of the changes that increase protection and did not require any action from IT administrators or end users. I reported on this in the article Windows 10/11: April 2025 updates create "inetpub" folder.
Script for creating the folder
Unfortunately, after reports appeared on the Internet, many users deleted this folder manually. For this reason, Microsoft has published a PowerShell script with which the folder can be created again.
The script Set-InetpubFilderAcl.ps is available for download in the PowerShell Gallery at this URL. This script must be executed with administrative privileges using the following command in the PowerShell console:
Install-Script -Name Set-InetpubFolderAcl
The script checks whether the inetpub directory exists. If the inetpub directory does not exist, it is created and the standard IIS permissions are applied to the directory.
If an empty folder exists, the script sets the default IIS permissions for the inetpub directory. If the inetpub directory exists and contains only the DeviceHealthAttestation subdirectory, the default IIS permissions are applied to both directories.
If the inetpub directory exists and contains other subdirectories, the script is terminated without making any changes.
