SharePoint Server 2025 CU for SharePoint Server 2016, 2019 and Subscription Edition includes security hardening for SharePoint Server 2013 workflows which enforces the most recent SharePoint Workflow Manager updates to be installed on SPWFM.
As a side effect this also prevents classic workflow manager workflows from running as this version does not comply with this new security requirement.
If SPWFM is not on the latest patch level or if classic workflow manager is being used the workflow actions are failing and retried a couple of times. The information on the internal status an message will be similar to the following when trying to execute a workflow:
In ULS you will find the following error:
09/11/2025 11:40:42.60 w3wp.exe (0x1AC8) 0x0008 SharePoint Foundation Application Authentication ajezu Unexpected SPApplicationAuthenticationModule: Failed to authenticate request, unknown error. Exception details: System.IdentityModel.Tokens.SecurityTokenException: The actor token's outernameid claim is null or whitespace. at Microsoft.SharePoint.IdentityModel.SPJsonWebSecurityBaseTokenHandler.ValidateTokenIssuer(JsonWebSecurityToken token)
Solution
A fix for this issue has been released with October 2025 CU for SharePoint
Upgrade Classic Workflow Manager to SharePoint workflow manager using either of the following steps and ensure to also apply the most recent SPWFM CU:
- Migrating Workflow Manager to SharePoint Workflow Manager on new hardware
- Upgrade existing Microsoft Workflow Manager
A fix is in development to reenable classic workflow manager to work again with SharePoint Server.
The current plan is to release this fix with October CU for SharePoint Server 2016, 2019 and Subscription Edition
Permalink
Thanks for sharing! What does this mean to SharePoint 2010 workflows? According to Microsoft they should be still supported until EOL of SharePoint 16/19 next year.
Permalink
Hi Andy,
SharePoint 2010 workflows do not use workflow manager and are not affected by this change.
Cheers,
Stefan
Permalink
According to the Microsoft site WFM is supported until next year! Now suddenly it isn’t?
https://learn.microsoft.com/en-us/lifecycle/products/microsoft-workflow-manager-10
Permalink
That is for Workflow Manager, not SharePoint Workflow Manager. SharePoint Workflow Manager is still supported.
Permalink
Hi Berta,
the point is that both workflow manager versions are supported if you check the box in the article.
Cheers,
Stefan
Permalink
Yes thank you Stefan, but I was replying to David’s concern that the End Of Life/End of Support for Workflow Manager 1.0 passed already in 2023 and was trying to clear up confusion for him. Workflow Manager 1.0 support ended in 2023, but the same lifecycle website shows that SharePoint Workflow Manager support follows the SharePoint Server Version (https://learn.microsoft.com/en-us/lifecycle/products/sharepoint-workflow-manager).
Permalink
Hi David,
I understand your concern. If this is an important issue for you my suggestion would be to open a case with Microsoft Support to ensure that we can start a discussion about this with our product group.
Cheers,
Stefan
Permalink
Thanks! Yes, I’ve already opened a case.
Permalink
Hi David,
can you please send me the SR number using the “contact the blog author” option at the top right of this page?
Thanks,
Stefan
Permalink
Done
Permalink
Thanks – I have taken ownership of the case and just sent you an email with next steps.
Cheers,
Stefan
Permalink
Hi,
I renewed my custom certificate for SharePoint 2019 farm and found all workflows do not start “Waiting for workflow”. Is this related to the CU?
Permalink
Hi Amy,
if the workflows worked with this CU before renewing the certificate, then – NO.
Cheers,
Stefan
Permalink
Hi all,
we got an update on the issue with classic workflow manager support for SharePoint Server after September 2025 CU: the plan is to add a fix for this issue which reenables classic workflow manager to work again with SharePoint Server.
The current plan is to release this fix with October CU for SharePoint Server 2016, 2019 and Subscription Edition
Cheers,
Stefan
Permalink
That’s great news!
Permalink
Great news thank you. I just spent a couple of days unsuccessfully trying to upgrade Classic Workflow Manager to SPWFM, so I’m glad to hear the classic workflow manager support is coming back.
Permalink
Hi Vladimir,
investing into SPWFM migration should still be done as classic workflow manager will be unsupported after July 14th, 2026. After this date only SPSE with SPWFE workflows will be supported.
Cheers,
Stefan
Permalink
Great News Stefan. So this would mean we don’t need to “touch” the current Workflow Manager server installation, just “skip” the September CU (to not get the issues with non working WFs) and apply October CU instead?
Permalink
Hi Daniel,
yes exactly.
Cheers,
Stefan
Permalink
KB5002784 has this “improvement”: “In order to use workflows in SharePoint Server, you must now have the »latest update« for SharePoint Workflow Manager installed.”
➡️ What is the latest update? Is it KB5002750 from August 2025?
Since September 2025 CU some Workflow 2010 fail after a Pause activity. The Workflow History logs “[WorkflowName] failed to run”. ULS has a “Compilation failed” exception, but no details what failed to compile:
RunWorkflow Exception: Microsoft.SharePoint.SPException:
Permalink
Hi Benjamin,
yes August 2025 CU for SharePoint Workflow Manager (SPWFM) is the most recent version.
SharePoint 2010 Workflows are not using SPWFM. SPWFM is only for SharePoint 2013 Workflows.
Cheers,
Stefan
Permalink
Since the September 2025 CU, SharePoint 2010 Workflows fail when there’s a Pause-Action (DelayForActivity). I can reproduce the issue on at least two SharePoint Farms: I created new sites and list-workflows, with just a log-action, a pause-action and another log-action. The first log-action works successfully, the pause-action is started successfully, but when the pause duration is over (it should continue with the next log-action), the Workflow History shows “[WorkflowName] failed to run” and ULS has a CompilerError on the “Legacy Workflow Infrastructure”.
One farm has the SPWFM with August 2025 CU installed, the other Farm has no SPWFM and no “Classic Workflow Manager”.
Is there another “security improvement” that may cause that issue?
I’ll probably have to contact Microsoft Professional Support. Hopefully you have enough resources, since there are already 6 “trending issue” this month. Thanks for your support, Stefan.
Details in ULS:
RunWorkflow: Microsoft.SharePoint.SPException: Error CompilerError Line=”-1″ Column=”-1″ Text=”Compilation failed. Cannot execute a program. The command being executed was "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\SP_Farm_Intranet\AppData\Local\Temp\gtsl0n3h.cmdline".” /Error
at Microsoft.SharePoint.Workflow.SPNoCodeXomlCompiler.LoadXomlAssembly(SPWorkflowAssociation association, SPWeb web)
at Microsoft.SharePoint.Workflow.SPWinOeHostServices.LoadDeclarativeAssembly(SPWorkflowAssociation association, Boolean fallback)
at Microsoft.SharePoint.Workflow.SPWinOeHostServices.CreateInstance(SPWorkflow workflow)
at Microsoft.SharePoint.Workflow.SPWinOeEngine.RunWorkflow(SPWorkflowHostService host, SPWorkflow workflow, Collection
1 events, TimeSpan timeOut)1 events, SPWorkflowRunOptionsInternal runOptions)at Microsoft.SharePoint.Workflow.SPWorkflowManager.RunWorkflowElev(SPWorkflow workflow, Collection
Unfortunately Verbose Logging for “Legacy Workflow Infrastructure” doesn’t give any more useful information about what Xoml-Assembly it triest to load. The File in the Temp-Folder seems get removed immediately, so I can’t look into.
Permalink
Hi Benjamin,
SharePoint 2010 Worklows do not require SPWFM. They are handled internally by SharePoint without any external software like Workflow Manager. Only SharePoint 2013 Workflows required WFM or SPWFM.
The fact that the callstack shows Microsoft.SharePoint.Workflow.
SPWorkflowManageris just a naming coincidence as the relevant class in SharePoint was also named SPWorkflowManager when it was created 15 years ago.So the SP2010 workflow issue is unrelated to any SPWFM updates or issues.
As the issue you are running in is currently not a know issue I would suggest to open a support case with Microsoft to get this analyzed.
Cheers,
Stefan
Permalink
Hello Benjamin and Stefan,
I can confirm this. We are seeing these errors as well with scheduled Nintex Workflows in several farms and have opened a case with Microsoft
Kind regards,
Sven
Permalink
The issue is caused by Windows Exploit Protection blocking OwsTimer from executing csc.exe (C# Compiler), which is required to run some SharePoint Workflows 🤦
Workaround: Adapt the Windows Exploit Protection Rule for OWSTIMER.EXE, check “Override system settings” for everything and set it to “Off”. Then restart the SharePoint Timer Service. Workflows run again 🎉
Hope this gets fixed in the next SharePoint update 🙏
Permalink
Thanks Benjamin!
Do you have a case open for this?
If yes, can you please send me the SR number using “Contact the blog author” at the top right of this page?
Thanks,
Stefan
Permalink
Thanks, Stefan, for reproducing the issue, narrow it down and documenting it.
I confirm that 2010 workflows work again when “Do not allow child processes” is set to “Off” and the other options are back to the way they were before my changes.
I didn’t open a support case since we already found the obvious cause and have a solution. Your feedback was faster than making a lap of honor. Your Blog is often our second-to-last hope.
Permalink
😊
Permalink
Hi Benjamin,
can you please check if just disabling the option for “Do not allow child processes” resolves this as well?
Cheers,
Stefan
Permalink
Ok, I have a repro.
And I can confirm that disabling just “Do not allow child processes” resolves the issue.
At least it does in my repro.
Will create a new Trending Issue and try to escalation internally.
If someone has a support case for this, please drop me the SR number using “Contact the blog author” at the top right of this page.
Cheers,
Stefan
Permalink
I have a colleague running a single SharePoint 2016 on Windows 2019 DataCenter with WFM installed as well, their is no exploit protection settings for the OWSTIMER.EXE, it isn’t in the list. Can the application be added manually and “Do not allow child processes” is set to “Off” ?
Permalink
Hi Stephen,
the exploit protection settings only exist with SharePoint Server Subscription Edition.
There is no need to add them manually.
Cheers,
Stefan
Permalink
Hi Stefan,
Thank for this.
Wondering is there any workaround fix for M365 sharepoint online which is using SharePoint 2013 Workflow?
Thank.
Permalink
Hi KM,
the issue is still under investigation.
Cheers,
Stefan
Permalink
Please see the system requirement in below link:
https://www.microsoft.com/en-us/download/details.aspx?id=108316
Supported OS:
Windows Server 2019, Windows Server 2022
We are running our SharePoint 2016 & workflow servers on Windows Server 2016. How can we plan to upgrade it?
Permalink
You need to either first upgrade the OS or install a new server.
Permalink
Thanks for replying back.
Quote from above article:
A fix is in development to reenable classic workflow manager to work again with SharePoint Server.
The current plan is to release this fix with October CU for SharePoint Server 2016, 2019 and Subscription Edition
So can we assume that October CU will support classic WFM and Windows Server 2016 together? Please confirm.
Also, can we only upgrade our WFM servers to Windows Server 2019 leaving our SharePoint servers on Windows Server 2016?
Permalink
Hi Aditya,
Classic WFM will be supported in the same way as before September CU.
Cheers,
Stefan
Permalink
I didn’t see this requirement for Windows Server 2019 or 2022 and already installed it on 2016. We are using SPWFM on Windows Server 2016. Now what? Why did it let me upgrade? We’re already in the middle of implementing SPSE on Server 2022, but now I’ll have to stop and fix this? I tested several workflows and they seem to be working.
Permalink
And SharePoint 2016 will become unsupported on the same day as classic workflow manager. So you need to upgrade SharePoint and Wfm.
Permalink
Looking at SPWFM original release from April 2025 https://www.microsoft.com/en-us/download/details.aspx?id=104867 states
„Supported Operating Systems
Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022“
The August 2025 update https://www.microsoft.com/en-us/download/details.aspx?id=108316 states
„Supported Operating Systems
Windows Server 2019, Windows Server 2022“
I inquired about this inconsistency with MS support, and they just quoted the supported OS as being Server 2012 onwards… I installed the Aug 2025 update on Server 2016 OS and it seems to be fine.
Would be good to get a better clarification though… did the supported OS for SPWFM change after Aug 2025 patch? Or is the KB5002750 article just incorrect and needs fixing?
Permalink
Hey Stefan, we installed the Sept 2025 CU without errors but started getting the error you have in the screenshot above on 2013 workflows. We realized we had a slightly older version of SharePoint Workflow Manager installed. We followed the directions and uninstalled the Workflow Manager Client from the 4 servers in our farm. We then installed the newer client on all 4 servers. We then installed the newer version of Workflow Manager and restarted the server. Now the service bus and workflow services will not start. I have opened a case with Microsoft and will send you the case number. I greatly any thoughts you may have on this.
Permalink
Hi Neal,
for August 2025 CU for SPWFM, please check if you followed this guidance:
https://blog.stefan-gossner.com/2025/08/21/trending-issue-system-memory-dll-missing-after-installing-august-2025-cu-for-sharepoint-workflow-manager/
Cheers,
Stefan
Permalink
When I try to run that, I get an error. I downloaded the nuget.exe and put it in the folder but still getting an error on the script. I’ll send you the screenshot with the error.
Permalink
I couldn’t find a way to send you the screenshot file but here is the error:
Feeds used:
Argument cannot be null or empty
Parameter name: primarySources
Feeds used:
Argument cannot be null or empty
Parameter name: primarySources
Error: failed to install required assemblies!
Permalink
Hi Neal,
the script downloads Nuget itself in line 77. No need to download it manually and put it in the folder.
Is it possible that internet access is restricted from the machine you are trying to run the script?
Cheers,
Stefan
Permalink
Yes I believe that is the issue. I have tried to run the script on my work laptop and a couple of servers but get the error on all of them. I think we are blocking the nuget from accessing the internet. I was able to run the script on a personal PC but have no way of getting the files from the personal PC to the work PC.
Permalink
Hi Neal,
in this case you should talk to your IT.
These files are necessary to get August CU for SPWFM working.
Cheers,
Stefan
Permalink
Is there an official statement from Microsoft confirming this?
“Update from September 15th, 2025:
A fix is in development to reenable classic workflow manager to work again with SharePoint Server.
The current plan is to release this fix with October CU for SharePoint Server 2016, 2019 and Subscription Edition”
That would allow me to justify to my IT Security department to delay the September Patch and wait for the October one.
Permalink
Hi Gualberto,
if you are opening a support case with Microsoft, you would get this in an email from an official Microsoft email address rather than from my personal blog.
But chances would be high, that I would send you this email if you are in the EMEA timezone. 😉
If you are looking for a KB article or similar the answer is no.
Cheers,
Stefan
Permalink
Thank you for the reply.
I was wondering if there was a KB or something official already, as you stated. Before I went ahead and opened a case. I’ll go ahead and open one to get it in an official capacity.
For context, basically we are in the process of migrating our SP2016 On-Prem environment to SPO and Power Platform. We still have a couple of Production workflows running in the farm. If by delaying patching by 1 month we can avoid mayor changes (like upgrading from WFM to SPWFM) and the risks that come with them we can focus on finalizing the last few migration of workflows left before the SP2016 EOL date.
Thanks again.
Permalink
Hi Gualberto,
would be great if you could drop me the SR number using “Contact the blog author” as soon as the ticket has been raised.
Cheers,
Stefan
Permalink
Hi Stefan,
cx faced the same workflow error
therefore, we migrated to SPWFM
everything is working from SPWFM end
we observed that the timer job “Refresh Token Metadata Feed” failed with an error, and workflows were also failing with similar errors.
○ Timer job error :
○ The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel..
○ Workflow error
○ Activity in progress
Retrying last request. Next attempt scheduled after 9/27/2025 11:29 PM. Details of last request: HTTP Unauthorized to https://edocs2016.test.aoc.gov/_api/web/lists(guid'3f5c42a5-a1ed-431f-b2ae-5839722c7092') Correlation Id: d68d6228-b9a7-0af1-a728-dca1b747194c Instance Id: 91606d17-6063-42ba-ab43-80b3c4ed816e
Permalink
Hi Anuradha,
“Could not establish trust relationship for the SSL/TLS secure channel.” indicates that the SSL certificate from the SQL server is not trusted by the SPWFM server.
To overcome this you can update the Data Source entry the registry key by adding TrustServerCertifiate=False as here:
HKLM\SOFTWARE\Microsoft\Workflow Manager\1.0:
Data Source=sql.contoso.local;Initial Catalog=WFManagementDB-SSL;Integrated Security=True;Encrypt=True;TrustServerCertificate=False
Cheers,
Stefan
Permalink
Dear Stefan,
when we can expect October 2025 Cumulative Update (CU) for SharePoint Server 2016?
Cheers,
Zoran
Permalink
In around 4-5 hours.
Permalink
Hi Stefan,
I am facing the same issue with SharePoint Workflow Manager, we have installed October 2025 CU but still issue exists. Any ideas?
Permalink
Hi Hossam,
this blog post talks about classic Microsoft Workflow Manager – not SharePoint Workflow Manager.
What is the exact problem / error you are experiencing with SharePoint Workflow Manager?
Cheers,
Stefan
Permalink
Hi Stefan,
It is exactly the same issue mentioned here in this post.
“Retrying last request. Next attempt scheduled after 04/11/2025 09:42. Details of last request: HTTP Unauthorized to https://mybarwa/sites/Depts/NewIT/_api/web/lists(guid'b4ca6351-c02d-48eb-8471-da2c18b79239‘) Correlation Id: b8c37b9c-ff8a-01f3-8be5-25def8061c1c Instance Id: 923fee6d-ec82-4077-9617-3a2941742be9″
Also in logs found the below issue
“SPApplicationAuthenticationModule: Failed to authenticate request, unknown error. Exception details: System.IdentityModel.Tokens.SecurityTokenException: The actor token’s outernameid claim is null or whitespace.
at Microsoft.SharePoint.IdentityModel.SPJsonWebSecurityBaseTokenHandler.ValidateTokenIssuer(JsonWebSecurityToken token)
at Microsoft.SharePoint.IdentityModel.SPJsonWebSecurityBaseTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.SharePoint.IdentityModel.SPJsonWebSecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.TryExtractAndValidateToken(HttpContext httpContext, SPIncomingTokenContext& tokenContext, SPIdentityProofToken& identityProofToken)
at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.ConstructIClaimsPrincipalAndSetThreadIdentity(HttpApplication httpApplication, HttpContext httpContext, SPFederationAuthenticationModule fam, String& tokenType)
at Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.AuthenticateRequest(Object sender, EventArgs e)
“
Permalink
Hi Hossam,
this error indicates that the SharePoint Workflow Manager version is older than August 2025 CU.
Starting with September 2025 CU for SharePoint a SharePoint Workflow Manager version of at least August 2025 CU is required.
As August 2025 CU had some issues it is recommended to upgrade SharePoint Workflow Manager to October 2025 CU:
https://blog.stefan-gossner.com/2025/10/14/october-2025-cu-for-sharepoint-workflow-manager-is-available-for-download/
Cheers,
Stefan
Permalink
Hi, Stefan,
We’re encountering this exact error at the moment in our existing SharePoint 2019 farm. For clarity’s sake, to fix this issue, I need to:
* Replace Workflow Manager with the new SharePoint Workflow Manager using the steps here (as we aren’t upgrading SharePoint): https://learn.microsoft.com/en-us/SharePoint/governance/install-and-configure-workflow-for-sharepoint-server#upgrade-existing-microsoft-workflow-manager
* Once I’ve confirmed that the new SPWFM has been installed and is working, I need to run Windows Updates to install the SharePoint Workflow Manager
And one more question:
* Are the steps to reset the Certificate Generation Key the same on the old Workflow Manager? All the articles seem to specify SPWFM only
Permalink
Hi Alan,
if you are currently using classic workflow manager and do not want to upgrade, then this is perfectly fine!
You need to install October or November 2025 CU for SharePoint as it will add support for classic workflow workflow manager.
After installing the fix a setting in SharePoint needs to be updated to enable this support:
https://blog.stefan-gossner.com/2025/10/14/resolved-trending-issue-classic-workflow-manager-workflows-fail-after-september-2025-cu-for-sharepoint/
If you are indeed planning to upgrade to SharePoint Workflow Manager (SPWFM), you need to follow the information in the article you quoted plus you need to upgrade to November 2025 CU for SPWFM:
https://blog.stefan-gossner.com/2025/11/11/november-2025-cu-for-sharepoint-workflow-manager-is-available-for-download/
Cheers,
Stefan
Permalink
Hi, Stefan,
Thanks for the assistance! To be clear, I just need to update the main SharePoint 2019 server with the recent content updates, and after applying that debug flag script and restarting IIS / SharePoint Timer Service, it should clear up the issue? We don’t think it’s a good investment to update to SPWFM especially since SharePoint 2019 is nearing the end of its life so I would rather stick with classic WFM.
Best regards,
Alan
Permalink
Hi Alan,
that is correct. No need to upgrade.
Cheers,
Stefan