November 2023 CU for SharePoint Server 2019 is available for download

The product group released the November 2023 Cumulative Update for SharePoint Server 2019 product family. SharePoint Server 2019 is patched with a language dependent and a language independent fix.

The KB article for November 2023 CU will be available at the following Location in a couple of hours:

  • KB 5002526 – November 2023 Update for SharePoint Server 2019 (language independent)
    This is also a security update!
  • KB 5002505 – November 2023 Update for SharePoint Server 2019 (language dependent)

The downloads for November 2023 CU are available through the following links:

Important: It is required to install both fixes (language dependent and independent) to fully patch a SharePoint server. This applies also to servers which do not have language packs installed. The reason is that each SharePoint installation includes a language dependent component together with a language independent component. If additional language packs are added later (only) the language dependent fix has to be applied again.

It is irrelevant which language you pick on the drop down in download center. Even the language dependent fixes are all in the same package for all languages.

After installing the fixes you need to run the SharePoint 2019 Products Configuration Wizard on each machine in the farm. If you prefer to run the command line version psconfig.exe ensure to have a look here for the correct options.

Please ensure to have a look at the SharePoint Patching Best Practices before applying new fixes.

SharePoint 2019 November 2023 CU Build Number:

Language independent fix: 16.0.10404.20003
Language independent fix: 16.0.10404.20003

Related Links:


  1. Greetings Stefan,

    We just applied the November 2023 updates to our test environment and all the web applications, Central Admin included are throwing 500 errors and saying “Cannot read configuration file because it exceeds the maximum file size.” My current prod environment has web.config files with 854 KB before the November updates. Are you aware of this issue? Do you have any suggestions other than increasing the limit for the web.config files?

    Thanks in advance for your response.


  2. Have some questions to verify:
    Why are your web.config files grew up to that size?
    Are you sure you need all that configurations and there’s no garbage?
    What is the size of you central admin web.config file?

    It seems illogical for all the config files to be that size. you should verify why.

    This is a Microsoft safeguard against uploading large configuration files and prevent DDOS attacks.
    If you’re sure that you need these configuration files as is, you have two options:
    1. You can allow large web.config files by adding a registry DWORD MaxWebConfigFileSizeInKB with your needed configuration size in KB to HKLM\SOFTWARE\Microsoft\InetStp\Configuration and
    2. You can split your web.config file to multiple files – not sure if i recommend this path as SharePoint using its Configuration Database to apply configuration to IIS and this kind of modification will not be listed in that database.


    1. We ran into this same issue – with a greatly expanded WEB.CONFIG file.

      Given that we don’t “fiddle” with this file at all and it has grown by changes introduced during patching cycles (this one November 2023 specifically). The patching cycle seems to be the culprit – corrupting/inflating the size of WEB.CONFIG file.

      I used your suggestion to increase the allowable size of the config file and sure enough my sites started serving again.

      We did not see this issue in our lower / DEV environments as those files are not yet over the 900 mark.

      If they are full of “garbage” how do we safely fix them without trashing the farm?

      The web config needs cleansed of crap.


  3. After applying the update, we are suddenly seeing this CSP-header on all responses from our SharePoint-farms:

    Content-Security-Policy: frame-ancestors ‘self’ * * * * * * * * * * * *;

    Any existing CSP-header is simply overwritten with the above, causing us problems for connected systems. However, I cannot find any information about that header being added/overwritten by the patch. How do we avoid the header being added/overwriting our own header?


    1. Hi Anonymous,
      this change was introduced through a security fix released with November 2023 CU.
      I would recommend to open a support case with Microsoft if this causes problems in your environment.


      1. Any update about this? We also have custom CSP-header and we are planning to install the update. But we read this and it will be a problem.


        1. Hi Ricardo,
          I haven’t seen a support case on this topic.
          If this is a concern for you, please open a ticket to allow us to pass your concerns to the product group to get it addressed.


          1. We have raised a support case for this two weeks ago, but I think it hadn’t made it through the system yet: Basically, the CSP-header can be turned off with AllowFraming – but only if you do not have Page Output Caching enabled. With Page Output Caching, the CSP-header gets added on all cached responses. We have not yet found a way around this.

          2. It would be great if you send me the SR number for this case.

          3. Great – I have mailed it to you directly. Let me know if it didn’t reach you.

          4. After some testing I´ve updated to November 2023 CU’s without problem. Now we have two headers in response: first the new CSP added by SharePoint about frame-ancestors, and next my custom CSP about other sources (default-scr, img-scr,… ). I can confirm that all works correctly.

  4. Stefan,
    After application of November 2023 CU’s my CA web app (windows auth) server and 2 other web apps (ADFS/WAP) would NOT serve. 500 errors thrown for those 3 web applications. (KB5032391/KB5032197) where also applied on the prior evening.
    A 4th web app does serve (it uses OKTA for authentication) .

    I rolled the changes to the bytes back on the CA vm and all sites started serving again. At this point I don’t know if the problem is the SP KBs or two other OS KBs.
    For the moment the farm is limping along serving content as those same patches/reboots/PSCONFIG steps where completed without issue.
    I simply can’t get the latest patches on this single vm without the 500 error at the completion. – One problem child in the bunch.


    1. Hi Kevin,
      the first thing to check in such a scenario would be the ULS log. Using the correlation ID included in the http response with the 500 server error would allow to filter the ULS log for the specific request.
      If you need assistance in troubleshooting this issue I would recommend to open a ticket with Microsoft Support.


      1. Stefan,
        The issue turns out to be that we have several WFEs/Site with web.config files >900 KB.

        Either this latest patch has pushed them over the limit or they have steadily increased through time with each CU update and this latest installment pushed them over.

        What ever has occurred the files are too large.

        I modified DWORD MaxWebConfigFileSizeInKB @ HKLM\SOFTWARE\Microsoft\InetStp\Configuration and
        HKLM\SOFTWARE\Wow6432Node\Microsoft\InetStp\Configuration and our sites started serving again.

        I am now carefully using VSCode w/ Unique Lines Extension to identify and remove the duplicated lines from the web.config files for each site on each front end. 🐀

        How they grew to this overblown state is beyond me. But we are recovering.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.