Microsoft has confirmed that its September 2025 security updates for Windows Server 2025 are causing synchronization issues with Active Directory Domain Services (AD DS).
Synchronization Challenges
The updates are affecting applications like Microsoft Entra Connect Sync, leading to incomplete synchronization of large Active Directory security groups. This problem specifically arises in AD DS environments with group sizes exceeding 10,000 members.
The issue is linked to the installation of security update KB5065426, or any subsequent updates on Windows Server 2025 systems. Currently, users are advised to add a registry key to avoid disruptions:
- Path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides
- Name: 2362988687
- Type: REG_DWORD
- Value: 0
Microsoft cautions that incorrect registry modifications can lead to serious problems, potentially requiring an OS reinstallation.
Future Fixes and Workarounds
While Microsoft has not revealed the root cause behind these Active Directory synchronization issues, its engineering teams are actively working on a resolution. Support for Microsoft Entra Cloud Sync is expected in a future release.
Additionally, Microsoft is addressing a separate issue affecting updates installed from a network share on Windows 11 24H2 and Windows Server 2025. The Known Issue Rollback (KIR) feature is automatically mitigating the impact for affected home and non-managed business devices.
This follows a previous emergency update in July to remedy a Virtualization-Based Security bug when Trusted Launch is disabled.
