Late last year, I went on a long journey to rid myself of as much of my remaining ties to the big technology giants as I could. This journey is still ongoing, with only a few thin ties remaining, but there’s one big one I can scratch off the list: mobile in-store payments with NFC tap-to-pay. I used Google Pay and a WearOS smartwatch for this, but neither of those work on de-Googled Android – I opted for GrapheneOS – and it seemed like I was just going to have to accept the loss of this functionality.

That is, until I stumbled upon a few forum posts here and there suggesting a solution: Garmin, maker of fitness trackers and smartwatches with a strong focus on sports, health, and the outdoor lifestyle, has its own mobile NFC tap-to-pay service that supposedly worked just fine on any Android device, de-Googled or not. In fact, people claimed you could even remove the companion Garmin application from your phone entirely after setting up the payment functionality, and it would still keep working. This seemed like something I should look into, because the lack of NFC tap-to-pay is a recurring concern for many people intending to switch to de-Googled Android.

So, late last year, many of you chipped in, allowing me to buy a Garmin smartwatch to try this functionality out, for which I’m incredibly grateful, of course. Here’s how all of this works, and if it’s a good alternative for Google Pay.

The Garmin Instinct 2S Solar

First, let’s dive into which watch I chose to buy. Garmin has a wide variety of fitness trackers and smartwatches in its line-up, from basic trackers, to Apple Watch/WearOS-like devices, to outdoor-focused rugged devices. I opted for one of the outdoor-focused rugged devices, because not only would it give me the Garmin Pay functionality, but also a few other advantages and unique features I figured OSNews readers would be interested in: a simple black-and-white transflective memory-in-pixel display, a battery life measured in weeks (!), a solar panel built into the display glass, and a case constructed out of lightweight but durable plastics instead of heavy, scratch-prone metal. The specific model I opted for was the Instinct 2S Solar in Mist Grey.

I wasn’t intending for this to become a review of the watch as a whole, but I figured I might as well share some notes about my experiences with this particular watch model. It’s important to note though that Garmin offers a wide variety of smartwatches, from models that look and feel mostly like an Apple Watch or wearOS device, to mechanical models with ‘invisible’ OLED displays on the dial, to ruggedised, button-only watches for hardcore outdoor people. If you’re interested in a Garmin device, there’s most likely a type that fits your wishes.

The Instinct 2S is definitely not the most beautiful or attractive watch I’ve ever had on my wrist. It has that “rugged” look some people are really into, but for me, I definitely had to get used to it. I do really like the colour combination I opted for, though, as it complements the black/white transflective memory-in-pixel display really well. I’ve grown to… Appreciate the look over time.

The case and bezel of the watch are made out of what Garmin calls “fiber-reinforced polymer”, which is probably just a form of fiber-reinforced plastic. Regardless of the buzzwords, it feels nice and sturdy, with a great texture, and not at all plasticy or cheap. Using a material like this over the metals the Apple Watch and most WearOS devices are made of has several advantages; first, it makes the device much lighter and thus more pleasant to wear, and it’s a lot sturdier and resilient than metals. I’ve banged this watch into door sills and countertops a few times now, and there’s not a scratch, dent, or discoloration on it – a far cry from the various metal Apple Watches and WearOS devices I own, which accumulated dings and scratches within weeks of buying them.

The case material is one of the many ways in which this watch chooses function over form. Sure, metals might feel premium, but a high-quality plastic is cheaper to make, lasts longer, is more resilient, and also happens to be lighter – it’s simply the objectively better choice for something you wear on wrist every day, exposed to the elements. I understand why people want their smartwatch to be made out of metal, but much like how the orange-red plastic of the Nexus 5 is still the best smartphone material I’ve ever experienced (the white and black models uses inferior plastics), this Garmin tops all of the metal watches I own.

The strap is made of silicone, and has an absurd amount of tightly-spaced adjustment holes, which makes it very easy to adjust to changing circumstances, like a bit of extra slack for when you’re working out. It also has a nice touch in that the second loop has a little peg that slots into an adjustment hole, keeping it in place. Ingenious. Other than that, it’s just a silicone band with the clasp made out of the same sturdy, pleasant “fiber-reinforced polymer” as the case.

The lens over the display is made out of something Garmin calls “Power Glass™”, and I have no idea what that means. It just feels like a watch lens to me – solid, glassy, and… I don’t know, round? The unique aspect of the display glass is, of course, the built-in solar panel. It’s hard for me to tell what kind of impact – if any – the solar panel has on the battery life of the device. What quite obviously does not help is that I live in the Arctic where sun hours come at a bit of a premium, so it’s been impossible for me to stand outside and hold out my arm for a while to see if it had an effect on the charge level. There’s a software widget that shows you the recorded solar intensity, but unsurprisingly for my latitude, it’s always low. It’s only over the last few days we’ve been getting some more consistent sun, and I did notice the widget showed… Something. I feel like it added some charge back to the battery indicator, but it’s hard to tell from such little sun exposure.

But what if you’re a normal person who doesn’t choose to live in a place where humans are not supposed to live? Well, searching through online reports doesn’t give any clear answers, as people’s experiences are all over the place. There’s also little to no proper, scientific data available, so all I can say is… Your mileage will very much vary. The solar panel option isn’t particularly expensive, so I suggest you apply some common sense if you’re interested in a Garmin watch that offers it. Live in California or Sydney or whatever? Probably worth it. Live in a place where the sun doesn’t rise for a week? Probably not worth it. Spend most of your day outside? Probably worth it. Spend most of your day holed up inside at your computer? Probably not worth it. You get the gist.

The display is the star of the show for me. It uses a technology called “transflective memory in pixel”, which basically means that while it’s only monochrome, it also happens to use very little power. It’s excellently visible under any and all conditions, inside or outside, rain or shine, and always-on, and sometimes almost feels more like an e-ink display than an LCD. I think most people prefer a regular colour display on their smartwatch, but ever since Sony started using monochrome OLED displays on its MiniDisc recorders, I love the monochrome aesthetic on a device where I personally don’t really need a full-colour, high refresh rate display.

This display technology is one of the reasons this watch can boast battery life measured in weeks instead of days. On a full charge, the watch will happily keep going for two to three weeks, which is absolutely insane compared to other smartwatches. Of course, you lose the fancy colour OLED display and complex applications from the average Wear OS device or Apple Watch, but everything else a smartwatch is supposed to do – notifications, extensive activity tracking, showing the damn time, and so on – works great on the Garmin. Considering all I used my smartwatches for is notifications and payments, I’m not missing much.

This particular type of Garmin smartwatch does not have a touchscreen, instead relaying on five physical buttons; two on the left side, three on the right. Navigating the user interface with these buttons is definitely not as intuitive as using touch on an Apple Watch or wearOS device, but after a few days to a week you’ll get used to it. If the idea of using physical buttons that change their function based on context bothers you, you should probably opt for one of the touchscreen models.

The software on the Instinct 2S is much more expansive than you’d expect at first glance. Thanks to the extensive array of sensors on the device, you can track a lot of different health metrics, and thanks to its standalone, built-in GPS, you can track detailed location data, too. You can browse through all of this data on the watch itself, and customise almost every pixel of the display to your liking, displaying whatever data you want, from the current weather, to any of the seemingly dozens and dozens of health metrics. All of this data is synced to the accompanying smartphone application, through which you can also install additional applications and watchface options.

While the Instinct 2S is definitely not as elegant or easy to use as a wearOS device or an Apple Watch, it more than makes up for it with its weeks-long battery life and incredibly solid, rugged construction. Not having to charge every day changes the game for smartwatches, and makes it far less likely you slowly end up just not bothering with it anymore, and the solid construction means you won’t have to baby it as you go about your day. Especially if you spend a lot of time doing physical activities – you play a ton of sports, you’re outside a lot, you have a job involving physical labour, and so on – you’re definitely going to appreciate it.

But let’s get to what we’re here for – mobile in-store payments with NFC tap-to-pay without Google or Apple. That’s where Garmin Pay comes in.

Garmin Pay

Garmin Pay is, as the name suggests, Garmin’s alternative to Google Pay and Apple Pay. Google’s and Apple’s payment service have a lock on the market for mobile in-store payments with NFC tap-to-pay, on both phones and smartwatches. On Android, Google Pay’s NFC tap-to-pay functionality is heavily tied to both Google Play Services, and your operating system needs to be certified by Google for it to work. Unsurprisingly, none of the de-Googled Android ROMs are certified by Google, so NFC tap-to-pay simply does not work if you de-Google your Android device.

In fact, devices like the Pixel Watch or Samsung wearOS devices simply do not work on de-Googled Android devices at all. The functionality of wearOS is deeply tied to Google Play Services, so much so that even on GrapheneOS, which sandboxes Google Play Services instead of relying on microG, they will not work. The one-two punch is complete: NFC tap-to-pay won’t work on your phone, and even if it did, you can’t use a wearOS device for tap-to-pay. Aren’t monopolies great?

Luckily for us, though, Garmin set out to create its own payment service, and that’s what we’ll be looking at today. Garmin Pay is effectively a clone of Google Pay or Apple Pay, and it works in pretty much the same way. Add your payment card in the Garmin application on your phone, and you can start paying with NFC tap-to-pay with your Garmin smartwatch. The experience is virtually identical to setting up and using Google Pay or Apple Pay, but does not require any certification or blessing from Google, so it works just fine even on de-Googled devices.

Garmin Pay employs the same security and privacy measures as Google’s and Apple’s alternative, too. Garmin Pay uses watch-specific card numbers and transaction codes for every purchase, your card number is not stored on the device or on Garmin’s servers, and it’s not shared with merchants. You authenticate Garmin Pay through a passcode entered on the device, which you need to re-enter once every 24 hours, and after every time you remove the watch from your wrist. In other words, if someone somehow manages to rip the watch off your wrist, they won’t be able to pay with it unless they also happen to know your passcode.

You might wonder how you’re supposed to enter a passcode on a device with just five physical side buttons and no touchscreen, and you’ll not be surprised to learn it’s a bit a hassle. Here’s the passcode entry screen:

You rotate the number wheel with two buttons on the left, and confirm each individual number, highlighted in the circle, with a button on the right. Especially in the beginning, this is an incredibly finicky process, and while you do get better at it with time, it’s simply not a great experience. At least you only have to enter the code once every 24 hours (assuming you need to use NFC tap-to-pay every 24 hours), so I just internalised entering the code as I walk to the grocery store from my house, or after parking the car if I need to drive somewhere.

After this, the process is self-explanatory: hold the watch near the payment terminal, and the payment goes through. That’s it. In my experience, payment terminals recognise and process Garmin Pay payments considerably faster than Google Pay payments on either my Pixel Watch 2 or Galaxy Watch4 Classic; my pet theory is that this might be because of the plastic casing being more optimal for NFC, but I haven’t done any research into this.

In keeping with the outdoor focus of the Instinct 2S, you don’t actually need your phone with you in order to pay with your watch. In fact, while you need the Garmin Connect smartphone application to do the initial Garmin Pay setup and add your payment card, you’re entirely free to delete the Connect application afterwards, and Garmin Pay on the watch will keep working just fine.

One thing that’s missing – at least for me, with my bank – is a payment history inside the Garmin Connect application or on the watch itself. Garmin Connect says there’s no payment history available, and directs me to my bank statement. My bank’s smartphone application gives me a highly detailed list of my payments, though, so it’s not a huge deal, but I’d still like to have Garmin Pay payment history inside the Connect application, if only for completeness’ sake. My guess is that sharing such payment history is up to the bank, so you could perhaps argue this is a form of privacy protection? I don’t know.

As great as it all sounds until now, none of it will be of any use to you if your bank does not support Garmin Pay. Garmin keeps a detailed list of all banks who participate in Garmin Pay, organised per country. I can only speak for the two countries whose banks I am aware of – The Netherlands, and my current country of residence, Sweden – and it seems the majority of banks in both countries support Garmin Pay. Before you make any purchase decisions, check this list to make sure your bank supports Garmin Pay.

If your bank supports Garmin Pay, and everything is set up on your phone and Garmin smartwatch, you can proceed to use Garmin Pay wherever there’s an NFC tap-to-pay terminal. Here in Sweden every store has those now, and I think the same applies to The Netherlands. As such, I have no need to carry my wallet or – worse yet – cash, which is great. Despite de-Googling my smartphone, I don’t have to miss out on the convenience and safety of modern payment methods.

Conclusion

When I initially wrote about using Garmin Pay to avoid Google Pay, some people wondered if this wasn’t a case of out of the frying pan into the fire, and I’d like to address that here. Reducing your reliance or use of the big technology companies’ products and services isn’t an all-or-nothing approach; you’ll soon find that unless you go full cabin-in-the-woods, avoiding big technology companies is effectively impossible, so whatever you end up doing, you’re always going to be using their products one way or another.

In cases where alternatives are hard to come by, like NFC tap-to-pay, you’ll either have to forgo the feature and convenience entirely, or settle for the least-worst option. In this particular case, I opted for the latter. Le mieux est le mortel ennemi du bien, and while I would definitely prefer a proper open source solution, preferably European in origin, opting for a smaller tech company that, as far as I know, does a pretty good job making sure their products are platform-independent, is good enough for me.

Reducing your reliance on the major technology companies is a long and often frustrating process, where you’re constantly weighing options and alternatives, consider upsides and downsides, evaluate costs, and after all that, you somehow have to draw conclusions and make decisions. It’s often easier to just stick with the Googles and Apples of this world, and I honestly don’t fault anyone for doing so. There’s enough shit in this world for us normal people to deal with, and we all choose our own hills to die on.

I do not use any Apple or Microsoft products, but that’s been the case for a long time now. Getting rid of Google has proven to be a much more complicated and drawn-out task, since there’s a few products and services I just cannot do without. There were three difficult products and services to ditch: Android, Google Photos, and WearOS with NFC tap-to-pay. I use GrapheneOS on my Pixel 8 Pro now, but that’s still Android by Google on a Pixel 8 Pro by Google. I still use Google Photos because none of the alternatives fill me with confidence, but every time I take a photo of our kids and see it sucked up into Google Photos it chafes.

But now I can say that I managed to at least move away from one of them – this Garmin smartwatch with Garmin Pay is an imperfect alternative, for sure, but it’s a huge leap in the right direction while we wait for regulators to wake up and make it possible for (European) open source alternatives to compete.

The Trinity Desktop Environment, the modern-day continuation of the KDE 3.x series, has released version R14.1.4. This maintenance release brings new vector wallpapers and colour schemes, support for Unicode surrogate characters and planes above zero (for emoji, among other things), tabs in kpdf, transparency and other new visual effects for Dekorator, and much more.

TDE R14.1.4 is already available for a variety of Linux distributions, and can be installed straight from TDE’s own repositories if needed.

The Wii homebrew community has been dealt a pretty serious blow, as developers of The Homebrew Channel for the Wii have discovered that not only does an important library most Wii homebrew software rely on use code stolen straight from Nintendo, that same library also uses code taken from an open source real-time operating system without giving proper attribution.

Most Wii homebrew software is built atop a library called libogc. This library apparently contains code stolen from Nintendo’s SDK as well as from games using this SDK, decompiled and cleaned. This has been known for a while, but it was believed that large, important parts of libogc were at least original, but that, too, turns out to be untrue. Recently it has been discovered that libogc’s threading/OS implementation has been stolen from RTEMS, an open source real-time operating system.

The developers of libogc have indicated that they do not care, intend to do nothing about it, and deleted any issues reporting the stolen code. What’s wild about the code stolen from RTEMS is that it’s an open source operating system with a nice, permissive license; there was no need to steal the code at all, and all it would take to address it is proper attribution.

As such, the fail0verflow group, which develops The Homebrew Channel for the Wii, has ceased all development on The Homebrew Channel, and archived the code repository.

The Wii homebrew community was all built on top of a pile of lies and copyright infringement, and it’s all thanks to shagkur (who did the stealing) and the rest of the team (who enabled it and did nothing when it was discovered). Together, the developers deceived everyone into believing their work was original.

Please demand that the leaders and major contributors to console or other proprietary device SDKs and toolkits that you use and work with do things legally, and do not tolerate this kind of behavior.

↫ The Homebrew Channel GitHub page

Considering Nintendo is on a crusade to shutdown emulators, stuff like this is really not helping anyone trying to argue that consoles should be open devices, that emulators play an important role in preservation, and that people have a right to play the games they own on a device other than the console it’s intended for.

I’m sure this isn’t the last we’ll hear about this development.

Few things in life make me happier than a new 9front release. This new release, 9front “CLAUSE 15 COMMON ELEMENTS OF MAUS AND STAR TYPE”, comes with a variety of fixes and new features, such as temperature sensor support for Ryzen processors, a new Intel i225 2.5 GbE driver, a number of low-level kernel improvements, and so, so many more small fixes and changes.

If you use 9front, you already know all of this, and you’re too cool to read OSNews anyway. If you’re new to 9front and want to join the cool people club, you can download images for PC, Raspberry Pi, MNT Reform, and QEMU.

We’ve had a lot of fun with VTech’s computers in the past on this blog. Usually, they’re relatively spartan computers with limited functionality, but they did make something very interesting in the late 80s. The Socrates is their hybrid video game console/computer design from 1988, and today we’ll start tearing into it.

↫ Leaded Solder web log

Now we’re in for the good stuff. A weird educational computer/game console/toy thing from the late ’80s, by VTech. I have a massive soft spot for these toy-like devices, because they’re always kind of a surprise – will it be a stupidly simple hardcoded device with zero input/output, or a weirdly capable computer with tons of hidden I/O and a full BASIC ROM? You won’t know until you crack it open and take a peek!

VTech still makes things like this, and I still find them ever as fascinating.

Apparently, the Bcachefs people are having problems with case-folding, and Linus Torvalds himself is not happy about it. Torvalds holds the only right opinion in this matter, which is that filesystems should obviously be case-sensitive.

Case-insensitive names are horribly wrong, and you shouldn’t have done them at all. The problem wasn’t the lack of testing, the problem was implementing it in the first place.

[…]

Dammit. Case [in]sensitivity is a BUG. The fact that filesystem people still think it’s a feature, I cannot understand. It’s like they revere the old FAT filesystem so much that they have to recreate it – badly.

↫ Linus Torvalds on the LKML

It boggles my mind that a modern operating system like macOS still defaults to being case-insensitive (but case-preserving), and opting to install macOS the correct way, i.e. with case-sensitivity, can still lead to issues and bugs because macOS isn’t used to it. In 2025. Windows’ NTFS is at least case-sensitive, but apparently Win32 applications get all weird about it; if you have several files with identical names save for the case used, Win32 applications will only allow you to open one of them. I’m not sure how up to date that information is, though.

Regardless, the notion that Readme.txt is considered the same as readme.txt is absolutely insane, and should be one of those weird relics we got rid of back in the ’90s.

The Steam store and desktop client will soon be able to help players find games that feature accessibility support. If your game has accessibility features, you can now enter that information in the Steamworks ‘edit store’ section for your app.

↫ Steam announcements page

I have a lot of criticism for the Steam client application – it’s a overly complex, unattractive, buggy, slow, top-heavy Chrome engine wrapped in an ugly user interface – but this is a great change and very welcome addition to Steam. Basically, with this, game developers can indicate which accessibility features their game has, allowing users to specifically search for those features, create filters, make sure they can play the game before buying, and so on.

The client-side part of the feature is not yet available – it seems Valve is giving developers some time to fill in the necessary information – but once it is, you’ll be able to tell at a glance what accessibility a game has. Such information on the store page of games tends to be a great marketing tool, with reviews quickly pointing out if certain expected features are not present. Any game that lacks support for the Steam Deck or Proton, for instance, will often have a few reviews at the top mentioning as such, and games with invasive DRM can’t get away with that either without reviews on Steam pointing it out. I wouldn’t be surprised if these accessibility feature listings well quickly become another thing users will simply expect to be there.

Regardless, this is great news for people who rely on such features, but even if you don’t specifically – accessibility features are often just useful features, period.

Welcome to a photo-driven tour of the IBM z17. I’ve scoured the image library to pull dig deep inside these machines that most people don’t get an opportunity to see inside, and I’ll share some of the specifications gleaned from the announcement and related Redbooks.

↫ Elizabeth K. Joseph at the IBM community website

These IBM mainframes don’t have to be beautiful, but they always are. I wish I could see a z17 up close – hopefully IBM will release a detailed video walkthrough of one of these at some point, including taking one apart and putting it back together.

TacOS is a UNIX-like kernel which is able to run DOOM, among various other smaller userspace programs. It has things like a VFS, scheduler, TempFS, devices, context switching, virtual memory management, physical page frame allocation, and a port of Doom. It runs both on real hardware (tested on my laptop) and in the Qemu emulator.

↫ TacOS GitHub page

TacOS – great name – is written in C, and explicitly a hobby and toy project. The code’s licensed under the Mozilla Public License 2.0.

The headline sets the stage, and the article delivers.

This was the most interesting bug I’ve encountered for a while. I initially had a hard time believing that a bug like this would directly tie to a specific OS release, but I was proven completely wrong. At the end of the day, it was a simple bug in San Andreas and this function should have never worked right, and yet, at least on PC it hid itself for two decades.

This is an interesting lesson in compatibility: even changes to the stack layout of the internal implementations can have compatibility implications if an application is bugged and unintentionally relies on a specific behavior. This is also not the first time I encountered issues like this: regular visitors might remember Bully: Scholarship Edition which famously broke on Windows 10, for very similar reasons. Just like in this case, Bully should have never worked properly to begin with, but instead, it got away with making incorrect assumptions for years, before changes in Windows 10 finally made it run out of luck.

↫ Adrian Zdanowicz

Incredible story.

The fines weren’t the only Digital Markets Act news coming from this fine continent today. The European Commission also closed its investigation into Apple’s user choice obligations under the DMA, and while Apple has made good progress in a few areas, the EC states Apple is still acting illegally in a variety of others.

First, the good news for Apple: the European Commission is happy with Apple’s changes regarding browser choice, the ability to remove preinstalled iOS applications, and the ability to change a whole bunch of default settings that are all locked outside of the EU. These are valuable and welcome changes, and I’m glad the European Union, the European Parliament, and the Commission have forced Apple to become less hostile to European consumers.

Second, there’s the bad news for Apple. Under the DMA, Apple is obligated to allow for third-party application stores, and the ability for users to download and install applications directly from the internet. In this area, Apple is still breaking European Union law.

The Commission takes the preliminary view that Apple failed to comply with this obligation in view of the conditions it imposes on app (and app store) developers. Developers wanting to use alternative app distribution channels on iOS are disincentivised from doing so as this requires them to opt for business terms which include a new fee (Apple’s Core Technology Fee). Apple also introduced overly strict eligibility requirements, hampering developers’ ability to distribute their apps through alternative channels. Finally, Apple makes it overly burdensome and confusing for end users to install apps when using such alternative app distribution channels.

↫ European Commission press release

This outcome was entirely expected, and pretty much everyone – except Apple’s PR attack dogs – knew Apple’s malicious compliance, fees, and onerous hurdles were going to be a hard sell. I’m glad the European Commission seems unimpressed with Trump’s sabre-rattling about the EU’s consumer protection laws, and is continuing to whip US tech companies in line, making sure they stop violating our consumer protection laws.

Since these are the outcomes of a preliminary investigation, Apple now has the chance to argue its case.

The European Commission has levied fines against both Apple and Facebook for violating the Digital Markets Act. Apple has to pay a €500 million fine, and Facebook a €200 million fine. Apple is breaking EU law by not allowing application developers to inform users of other offers outside the App Store.

The Commission found that Apple fails to comply with this obligation. Due to a number of restrictions imposed by Apple, app developers cannot fully benefit from the advantages of alternative distribution channels outside the App Store. Similarly, consumers cannot fully benefit from alternative and cheaper offers as Apple prevents app developers from directly informing consumers of such offers. The company has failed to demonstrate that these restrictions are objectively necessary and proportionate.

↫ European Commission press release

Not only is Apple ordered to pay the €500 million fine, they also have to remove any and all of the illegal restrictions they put in place.

Facebook, meanwhile, was fined for not offering an equally functional services but without combining user data from different services. The company did offer a choice between paying and not paying – whereby the latter involved data collection and combination – but this model violated the DMA.

The Commission found that this model is not compliant with the DMA, as it did not give users the required specific choice to opt for a service that uses less of their personal data but is otherwise equivalent to the ‘personalised ads’ service. Meta’s model also did not allow users to exercise their right to freely consent to the combination of their personal data.

↫ European Commission press release

Facebook did later amend their model to make it compliant with the DMA, and so the fine only covers the few months Facebook was violating EU law. Fun additional note: the EC also mentions that the Facebook Marketplace is no longer a gatekeeper service under the DMA, since its user numbers has dropped below the threshold. Facebook seems to be having some engagement issues in Europe, and you love to hear it.

Both companies are required to pay and comply within 60 days, or further periodic penalty payments will be levied.

Remember the odd inetpub folder that seemingly randomly appeared on people’s root drives after installing a Windows 11 update? Everybody assumed it was something left over from an update script, and that the folder was safe to remove. Well, it turns out that’s not the case, as the empty folder is actually a crucial part of a security fix for a serious vulnerability.

Initially undocumented in the official release notes, the empty and seemingly inactive inetpub folder led to user speculation about whether it was a leftover artifact from development or a bug. Microsoft has since clarified that the folder is intentional and part of a critical security improvement.

The change addresses CVE-2025-21204, a vulnerability that allowed local attackers to exploit symbolic link (symlink) attacks via Windows Update, potentially granting unauthorized access to protected system files or directories. As part of the fix, the system pre-creates certain directories — including C:\inetpub — to harden the update process and mitigate such attacks.

↫ Cyberdom

If you’ve already removed the folder, you can reinstall the April 2025 cumulative update to restore the folder, or you can wait for next month’s update roll-up, which will also restore the folder.

This lone, empty folder at your Windows PC’s root is apparently a crucial part of the security of your computer, but since it took Microsoft a while to publish release notes, nobody knew where it was coming from. The idea that a random, empty folder usually associated with IIS could be part of a vulnerability mitigation didn’t cross anybody’s mind at the time, especially since random folders appearing at a Windows PC’s root aren’t exactly uncommon or out of the ordinary.

The consensus seems to be that creating this folder is a pretty clever form of mitigation, despite feeling so hacky. I’m assuming Microsoft’s engineers are capable, and that making the folder in question impossible to delete or somehow hidden is simply not an option and would break the vulnerability mitigation, but that doesn’t change the fact that this looks like a really crude hack that should be solved in a more elegant way.

Ars Technica took a look at how the current version of Windows Recall works, including the improvements Microsoft made since the initial security nightmare of a rollout, and concludes:

Recall continues to demand an extraordinary level of trust that Microsoft hasn’t earned. However secure and private it is—and, again, the version people will actually get is much better than the version that caused the original controversy—it just feels creepy to open up the app and see confidential work materials and pictures of your kid. You’re already trusting Microsoft with those things any time you use your PC, but there’s something viscerally unsettling about actually seeing evidence that your computer is tracking you, even if you’re not doing anything you’re worried about hiding, even if you’ve excluded certain apps or sites, and even if you “know” that part of the reason why Recall requires a Copilot+ PC is because it’s processing everything locally rather than on a server somewhere.

↫ Andrew Cunningham at Ars Technica

Way back in 1996, Mercedes-Benz unveiled the A-Class, a small, practical car that purported to be more premium than cheaper, similarly-sized cars from other brands. The car had a big problem, though – it was unusually narrow and tall, and because of it, it famously failed spectacularly at the “moose test”, in which a car has to suddenly swerve around a “moose” on the road. The car simply toppled over, and after initially denying the problem, Mercedes recalled every single A-Class sold and added a variety of mitigations like electronic stability control and suspension changes. As far as I can recall, it fixed the issue.

To this day, however, I cannot look at an A-Class, even the modern ones which look like normal hatchbacks and bear effectively zero resemblance to the original, quirky A-Class from 1996, and not think of the failed moose test and the recall. I know the modern A-Class won’t fail that test, and I know it’s an infinitely safer car than the original one, but my brain still makes that connection every time I see one. A lot of people my age, whether they’re into cars or not, seem to remember this recall, because the original A-Class was such a unique and recognisable vehicle at the time, especially coming from Mercedes.

My point is – Recall will face this same issue. No matter how secure Microsoft makes it, no matter how much they claim and prove it only runs locally, no matter how hard they try and hammer on the fact data never leaves your PC, people will always think of that initial botched rollout, and all the accurate reporting that Recall was a nightmare. And it just so happens that the skepticism is warranted, and hopefully keeps people from using this corporate Trojan horse.