To enhance security a new Exploit Protection Setting was added to Windows when installing September 2025 CU.
This adds several protections to OWSTIMER.EXE including an option that prevents creating child processes.
SharePoint 2010 workflows require the workflow definition to be compiled using the CSC.EXE compiler – and this fails due to this Exploit Protection setting.
Symptoms
Starting Sharepoint 2010 workflow steps in the SharePoint Timer Service fails:
In ULS you will find an error similar to this:
09/18/2025 16:30:31.47 OWSTIMER.EXE (0x1BE8) 0x1844 SharePoint Foundation Legacy Workflow Infrastructure amq7q Medium Workflow on association 'Test Workflow' compile had errors: <Error><CompilerError Line="-1" Column="-1" Text="Compilation failed. Cannot execute a program. The command being executed was "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\mossfarmacct\AppData\Local\Temp\wxaoqzay.cmdline"." /></Error>
Solution
A fix for this issue has been released with February 2026 CU for SharePoint
To mitigate the problem using the following Workaround:
Open Windows Settings and navigate to the following Exploit Prevention settings:
Windows Settings
Privacy & Security
Windows Security
App & Browser Control
Exploit Protection Settings
Program Settings
OWSTIMER.EXE
Edit the settings for OWSTIMER.EXE and set the following option to “Off”:
- Do not allow child processes
The SharePoint Timer Service (SPTimerV4) needs to be stopped and restarted after this configuration change.
After applying this change SharePoint 2010 workflows will work again.
Permalink
Hi Stefan,
Is there an KB article on this yet?
I would like to keep this documented for my clients.
Permalink
No. We just identified it. Kb will most likely be released with a fix.
Permalink
But many customers see my blog as documentation as well. 😊
Permalink
I completely understand, I wasn’t sure if this was a KB article that I would be looking for.
I find you site critical for current issues with updates and fixes.
Thanks for sharing all the time!
Permalink
Hi Stefan,
I just tested a 2010 Approval workflow and it seemed to run OK. I also can’t find this path in the Local Group Policy Editor on Windows Server 2016.
Permalink
Hi Marlene, the issue only occurs with SharePoint Server Subscription Edition. Based on the OS details you provided it seems you tested an earlier SharePoint version.
Cheers,
Stefan
Permalink
I did. We’re using SP 2016.
Permalink
Thanks, Stefan.
I’ll roll this out to all our SharePoint Server Subscription Editions.
I would appreciate if the “Improvements and fixes” of the Cumulative Update briefly mentioned that new security features were rolled out, especially Exploit Protection improvements. One week later, we all now know they exist and they blocked a little too much.
Permalink
For our SPSE farm on Windows Server 2022, we didn’t see the issue for our 2010 style workflows until we added a pause step to the workflow, like we saw in your workflow status screenshot. The Exploit Protection settings are grayed out, so I could not adjust the specified setting via the GUI. However, I was able to implement the change and verify it worked by running this PowerShell:
Set-ProcessMitigation -PolicyFilePath <path>\OWSTIMER_AllowChildProcesses.xml
Restart-Service SPTimerV4
OWSTIMER_AllowChildProcesses.xml contains the following:
Permalink
Looks like the XML got stripped out of my reply. Here it is again without the tags:
MitigationPolicy
AppConfig Executable=”OWSTIMER.EXE”
ChildProcess DisallowChildProcessCreation=”false” Audit=”false”
AppConfig
MitigationPolicy
Permalink
Hi Fred,
I assume this resolved the issue?
Cheers,
Stefan
Permalink
Yes. Thanks!
Permalink
👍
Permalink
Hi Stef,
Can I please have fully formatted XML file? I have got the same issue after Sep 2025 CU install.
Permalink
Hi Harry,
which XML file do you mean? The article does not talk about an XML file.
Cheers,
Stefan
Permalink
Hi Stef,
I think I should have asked Fred Heath in above comments. But anyways we created one as per the instructions from Fred Heath and it fixed our issue.
Thanks Fred Heath and Stefan.
Permalink
Ah! Got it!
Should have scrolled up a little more….
Permalink
Hi Stefan,
Do we have to apply the changes shown above on all the WFE’s and APP severs on the farm. I tested this change on my dev server (single server farm) and it worked.
Also do we uncheck the checkbox for “override system settings” or just the on/off button.
Thanks,
Lovai
Permalink
Hi Lovai,
yes – exactly. It depends on the default settings of your operating system.
By keeping the checkbox to override the settings and setting it to off will guarantee that it will work independent of your OS settings.
Cheers,
Stefan
Permalink
Great Thanks Stefan for your prompt response.
Also, do I need to apply this change to all the WFE’s and APP servers on the farm. Just wanted to conifrm.
thanks,
Lovai
Permalink
Yes
Permalink
Hello Stefan
After update my farm in 13 september my work flow has not work. Users Error is
Retrying last request. Next attempt scheduled after 23.09.2025 21:00. Details of last request: HTTP Unauthorized to http://srv28/KgipTemlate/test4/_api/web/lists(guid'477c0da1-f572-4751-bc76-61071792f6c2‘) Correlation Id: 2afcb89f-a0e3-bd39-aded-a01adcb28446 Instance Id: 769791cf-109a-46b6-bf33-876b0ec4b2f8
I read your solution – but do not help it to me
ULS in front server of my farm
SPApplicationAuthenticationModule: Failed to authenticate request, unknown error. Exception details: System.IdentityModel.Tokens.SecurityTokenException: The actor token’s outernameid claim is null or whitespace. в Microsoft.SharePoint.IdentityModel.SPJsonWebSecurityBaseTokenHandler.ValidateTokenIssuer(JsonWebSecurityToken token) в Microsoft.SharePoint.IdentityModel.SPJsonWebSecurityBaseTokenHandler.ValidateToken(SecurityToken token) в Microsoft.SharePoint.IdentityModel.SPJsonWebSecurityTokenHandler.ValidateToken(SecurityToken token) в Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.TryExtractAndValidateToken(HttpContext httpContext, SPIncomingTokenContext& tokenContext, SPIdentityProofToken& identityProofToken) в Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.ConstructIClaimsPrincipalAndSetThreadIdentity(HttpApplication httpApplication, HttpContext httpContext, SPFederationAuthenticationModule fam, String& tokenType) в Microsoft.SharePoint.IdentityModel.SPApplicationAuthenticationModule.AuthenticateRequest(Object sender, EventArgs e)
I have lates update on Shrepoint work flow server ( 16.0.15601.20418 – version )
If i use system account + “Workflows can use app permissions” – my work flow – is working
Permalink
Hi Antonio,
the only supported patch level of SharePoint Workflow Manager (SPWFM) is 16.0.18526.20518 which is the August 2025 CU for SPWFM.
September 2025 CU only supports the most recent patch level of SPWFM.
If your SPWFM has patch level 16.0.15601.20418 you need to upgrade it to August 2025 CU.
Ensure to also upgrade the SPWFM client components on each SPWFM server and all SharePoint servers.
https://blog.stefan-gossner.com/2025/08/12/august-2025-cu-for-sharepoint-workflow-manager-is-available-for-download/
Cheers,
Stefan
Permalink
Thanks for the reply. Unfortunately, it didn’t help me. I’ll describe what I tried to do.I have reinstalled winserver 2022
IIS + ASp 4.8. + .net 4.8 + windows auth
1-install- MicrosoftServiceFabric.11.2.274.1 /acceptula
2 -install- sharepointworkflowmanagerclient_x641 16.0.15601.20418
3 install- sharepointworkflowmanager 16.0.15601.20418
4 –Workflow Manager Configuration -create new farm
Now i have workflow 2013 but error
Retrying last request. Next attempt scheduled after 23.09.2025 21:00. Details of last request: HTTP Unauthorized to http://srv28/KgipTemlate/test4/_api/web/lists(guid'477c0da1-f572-4751-bc76-61071792f6c2‘) Correlation Id: 2afcb89f-a0e3-bd39-aded-a01adcb28446 Instance Id: 769791cf-109a-46b6-bf33-876b0ec4b2f8
5- install- sharepointworkflowmanagerclient_x641 16.0.15601.20518 ( front server+ app server + workflow servers)
6- Workflow Manager Configuration – upgrade
7 – install sharepointworkflowmanager-x64-subscription-kb5002750-fullfile-x64-glb
after reboot
service
Workflow Manager Backend no start
Service Bus Resource Provider no start
Service Bus Message Broker no start
Service Bus Gateway no start
Service Fabric Host Service work
8- Workflow Manager Configuration – upgrade cannot complete – error is
Could not load file or assembly ‘System.Memory, Version=4.0.1.1, Culture=neutral,
PublicKeyToken=cc7b13ffcd2ddd51’
Permalink
Check this article:
https://blog.stefan-gossner.com/2025/08/21/trending-issue-system-memory-dll-missing-after-installing-august-2025-cu-for-sharepoint-workflow-manager/
Permalink
Stefan thanx for your replay
i am run your script – my problem is gon
But new is coming
Now every time i run work flow on the site – i have
Initiator: Anonymous
Started: 30.09.2025 18:57 Internal Status: Not Started
Last run: 30.09.2025 18:57 Status:
Running Workflows
qqq 30.09.2025 18:57 Not Started
qqq 30.09.2025 18:37 Not Started
on the SPWF server
workflow manager backend service stops every time a workflow is triggered
my problem is the same like this
https://learn.microsoft.com/fr-fr/answers/questions/5563089/sharepoint-workflow-manager-after-september-2025-u
errors is the same.
Help please !
Permalink
Hi Antonio,
I cannot find an escalation related to this issue inhouse.
If not already done, I would suggest to open a support case for this with Microsoft.
Cheers,
Stefan
Permalink
Is anybody test this case https://sharepoint.stackexchange.com/questions/316073/sharepoint-workflow-issues-after-installing-september-2025-cu-for-sp2019-and-aug .
Stefan Goßner
How you thing is it can be helpful.
Permalink
This may be specific to my company’s environment, but I’ll share it anyway, in case others have run into it. Due to the September issues, we skipped applying those updates. I have deployed the October 2025 updates to our DEV and TEST farms, and we are currently testing.
I used Fred Heath’s method of applying this setting via PowerShell (thank you, Fred!!), and I confirmed that the OWSTIMER.EXE exploit protection had applied successfully. OWSTIMER.EXE was listed as having 1 system override, and it was the override to turn off ‘do not allow child processes.’
Important note – I may have applied this setting PRIOR to installing the October updates in an effort to avoid the possibility of experiencing the issue, but I can’t say that with 100% certainty.
After applying the October updates and running PSCONFIG on the farms, testing revealed scheduled workflows were failing to start with the csc.exe error in ULS that Stefan referenced in this post.
When I checked the exploit protection settings, it listed OWSTIMER.EXE as having 15 overrides, and the override for ‘do not allow child processes’ was set to ON.
I don’t know if this setting was reverted due to the possibility of applying the override setting after installing updates and running PSCONFIG, but it was reverted consistently across all of the servers in the farms that I patched.
If this happened as a result of the order in which I applied the override versus the patches/PSCONFIG, should I expect that the override setting will need to be re-applied every time patches are installed, or perhaps every time PSCONFIG is executed, until a fix is eventually incorporated into a future patch? Thanks!
Permalink
Hi Brett,
this upgrade action which was introduced in September 2025 CU and is carried forward in October CU shuld be applied only once. So you should not have to bother about this going forward.
Cheers,
Stefan
Permalink
Thanks, Stefan (again!) – We have a lot of workflow processing that occurs in the OWSTIMER process on a couple of our production farms, so to minimize the chance of issues, I’m going to disable the Workflow and Nintex Workflow Scheduler timer jobs prior to updates
After applying updates, PSCONFIG, and applying/verifying the exploit override is in place, I’ll re-enable those timers.
Just posting this as an idea for others who may have run into the same issues I did and who may have similar workflow processing concerns. Stay safe out there, y’all!
Permalink
Has this been fixed in November 2025 CU?
Permalink
No, you still need to use the workaround in my blog post.
Permalink
Thank you, Stefan. Much appreciated.
Permalink
Just wanted to note that because of our CIS hardening rules we were not able to directly disable the Do not allow child processes setting. However, using @Fred Health’s PowerShell command and XML file we were able to turn it off. Thanks Fred!
We do still have a ticket open with MS as we do still have a couple of edge cases that aren’t working following this fix.
Permalink
Seeing the same for the default DISA policies. For us, it’s a Group Policy in:
Computer Configuration / Policies / Administrative Templates / Windows Components/Microsoft Defender Antivirus/Microsoft Defender Exploit Guard/Attack Surface Reduction
ASR Rule d4f940ab-401b-4efc-aadc-ad5f3c50688a
OR
ASR Rule 26190899-1602-49e8-8b27-eb1d0a1ce869
https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#asr-rule-to-guid-matrix