Full Report
Microsoft has confirmed that the September 2025 security updates are causing Active Directory issues on Windows Server 2025 systems. [...]
Analysis Summary
# Vulnerability: AD Security Group Synchronization Failure Post-September 2025 Windows Server Update
## CVE Details
- CVE ID: Not explicitly provided in the context. This appears to be a Post-Patch/Known Issue rather than a pre-release vulnerability disclosure.
- CVSS Score: Not available.
- CWE: Not available.
## Affected Systems
- Products: Windows Server 2025
- Versions: Systems running Windows Server 2025 after installing the September 2025 Windows security update (KB5065426) or later updates.
- Configurations: Specific to applications using the Active Directory directory synchronization (DirSync) control for on-premises Active Directory Domain Services (AD DS), such as Microsoft Entra Connect Sync.
## Vulnerability Description
The September 2025 security update (KB5065426) for Windows Server 2025 introduces an issue affecting Active Directory Domain Services (AD DS) synchronization. This flaw causes synchronization (specifically using the DirSync control in tools like Microsoft Entra Connect Sync) to fail or result in incomplete synchronization for large Active Directory security groups exceeding 10,000 members.
## Exploitation
- Status: Not applicable (This is an operational bug/defect introduced via an update, not a typical security vulnerability).
- Complexity: Not applicable.
- Attack Vector: Not applicable.
## Impact
- Confidentiality: Potential exposure of incomplete group membership data.
- Integrity: Compromised integrity of group synchronization processes.
- Availability: Reduced availability/functionality of directory synchronization services relying on DirSync control for large groups.
## Remediation
### Patches
- A specific fix for the synchronization issue is "in progress" by Microsoft engineering teams. KB5065426 is the update causing the issue.
### Workarounds
**Warning:** The workaround involves a sensitive registry modification performed at the user's own risk, as incorrect modification might require OS reinstallation.
1. **Registry Modification:** Add the following registry key immediately:
* **Path:** `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides`
* **Name:** `2362988687`
* **Type:** `REG_DWORD`
* **Value:** `0`
2. **Note on Entra Cloud Sync:** The document notes that Windows Server 2025 support for Microsoft Entra Cloud Sync is planned for a future release.
## Detection
- **Indicators of compromise:** Incomplete synchronization reports from directory synchronization tools (e.g., Microsoft Entra Connect Sync) regarding large security groups (over 10,000 members).
- **Detection methods and tools:** Monitoring directory synchronization job status and logs for errors related to DirSync control processing or for unexpected group membership discrepancies.
## References
- Vendor Advisories: Microsoft Windows release health dashboard update for Windows Server 2025 (associated with KB5065426).
- Relevant links:
* microsoft dot learn dot microsoft dot com/en-us/windows/release-health/status-windows-server-2025#directory-synchronization-fails-for-ad-security-groups-exceeding-10-000-members
* microsoft dot learn dot microsoft dot com/en-us/entra/identity/hybrid/cloud-sync/how-to-prerequisites?tabs=public-cloud\#:~:text=This%20registry%20modification%20is%20a%20workaround.%20Windows%20Server%202025%20support%20for%20Microsoft%20Entra%20Cloud%20Sync%20is%20planned%20for%20a%20future%20release.