Full Report
Microsoft is rolling out a fix for Active Directory issues affecting some Windows Server 2025 systems after installing security updates released since September. [...]
Analysis Summary
# Vulnerability: Active Directory Sync Incomplete for Large Security Groups (Windows Server 2025)
## CVE Details
- CVE ID: N/A (This is described as a Known Issue/Bug introduced by an update, not assigned a CVE in the context provided.)
- CVSS Score: N/A
- CWE: N/A
## Affected Systems
- Products: Windows Server 2025
- Versions: Systems installed with the September 2025 Windows security update (KB5065426) or later updates.
- Configurations: Affects Active Directory Domain Services (AD DS) synchronization, specifically when applications use the Active Directory directory synchronization (DirSync) control (e.g., Microsoft Entra Connect Sync).
## Vulnerability Description
Installing specific 2025 security updates on Windows Server 2025 causes an issue where the Active Directory directory synchronization (DirSync) control results in incomplete synchronization of large Active Directory security groups that exceed 10,000 members.
## Exploitation
- Status: Known Issue, not described as an external exploit.
- Complexity: N/A (Behavioral flaw in system function)
- Attack Vector: N/A
## Impact
- Confidentiality: Potential exposure if incomplete sync leads to incorrect access controls.
- Integrity: Compromised integrity of security group membership synchronization.
- Availability: Potential disruption to identity services reliant on accurate synchronization.
## Remediation
### Patches
- A full fix is expected during the next Patch Tuesday cycle (November 2025, based on the October 2025 article date).
### Workarounds
1. **Managed Devices:** Install and configure the **Known Issue Rollback (KIR) Group Policy** provided by Microsoft for impacted Windows devices.
2. **Non-Managed/Home Users (Registry Key Fix):** Add the following registry key immediately:
* **Path:** `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides`
* **Name:** `2362988687`
* **Type:** `REG_DWORD`
* **Value:** `0`
## Detection
- **Indicators of Compromise:** Incomplete synchronization logs for AD security groups larger than 10,000 members when using DirSync controls.
- **Detection Methods and Tools:** Monitoring Microsoft Entra Connect Sync status for synchronization errors related to large groups.
## References
- Vendor Advisory (KB5065426 context): [Microsoft September 2025 Windows Server Updates Cause Active Directory Issues](https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2025-windows-server-updates-cause-active-directory-issues/)
- KIR Deployment Info: [Microsoft support website on deploying KIR group policies](https://docs.microsoft.com/en-us/troubleshoot/windows-client/group-policy/use-group-policy-to-deploy-known-issue-rollback)