October 2025 CU for SharePoint Server Subscription Edition is available for download

- - 36 Comments
Important: If September 2025 CU for SharePoint has been installed before, remove the NT Authority\system account from WSS_WPG and IIS_IUSRS local security groups of the SharePoint machines – otherwise installing the SharePoint fixes will fail.

For more details check this article: Trending Issue: SharePoint fixes fail to install after installation of September 2025 CU

The product group released the October 2025 Cumulative Update for SharePoint Server Subscription Edition.

Monthly SharePoint Server Subscription edition updates are released as a single unified “uber” package containing both the language independent and language dependent fixes. Language independent and language dependent fixes will no longer be released separately. This is similar to the full server packages released for SharePoint 2013.

The KB article for October 2025 CU will be available at the following location in a couple of hours:

  • KB 5002786 – October 2025 Update for SharePoint Server Subscription Edition
    This is also a security update!

The download for October 2025 CU is available through the following link:

It is irrelevant which language you pick on the drop down in download center. It will always download the same package.

After installing the fix you need to run the SharePoint Products Configuration Wizard on each machine in the farm. If you prefer to run the command line version psconfig.exe ensure to have a look here for the correct options.

Please ensure to have a look at the SharePoint Patching Best Practices before applying new fixes.
 
SharePoint Server Subscription Edition October 2025 CU Build Number: 16.0.19127.20262
 
Important: To minimize the installation time for SharePoint Server Subscription Edition Fixes, please follow the guidance in the following article: Solving the extended install time for SPSE CUs

 
Related Links:

36 Comments


  1. After applying the October 2025 Cumulative Update, the SYSTEM account is automatically re-added to the WSS_WPG group. Interestingly, upon re-evaluating the SharePoint Health Analyzer’s warning “Verify various user groups don’t have elevated permissions” it no longer appears – even though SYSTEM remains a member of WSS_WPG.
    All services and web applications are configured to use managed accounts, as confirmed via the FarmCredentialManagement.aspx page.

    Reply

  2. The CU was correctly applied, yet in patch and installation status, there is no trace of this build: 16.0.19127.20262
    Is this normal ?

    Reply

    1. Hi Alex,
      did you run the SharePoint configuration wizard?
      Cheers,
      Stefan

      Reply

      1. Of course I did. Even twice.

        Reply

        1. Hi Alex,
          please check in control panel – installed updates. Do you see the correct version number listed there and the install date when you applied the update?
          Cheers,
          Stefan

          Reply

          1. OK, just figured out that your script (https://github.com/stefangossner/Install-SPSE_Fix/blob/main/Install-SPSE_Fix.ps1) does not handle any installer errors.
            If I look in the logs, the install fails with the following errors:

            10/16/2025 16:40:22.237 [19992]: Assembly Install: Failing with hr=80070005 at RemoveDirectoryAndChildren, line 393

            10/16/2025 16:40:22.237 [19992]: Detailed info about C:\Windows\assembly\temp\9LFX3XCIC0\microsoft.ceres.contentengine.recordcache.dll

            10/16/2025 16:40:22.237 [19992]: File attributes: 00000080

            10/16/2025 16:40:22.377 [19992]: Restart Manager Info: 4 entries

            10/16/2025 16:40:22.377 [19992]: App[0]: (5364) IIS Worker Process (), type = 5

            10/16/2025 16:40:22.377 [19992]: App[1]: (3552) IIS Worker Process (), type = 5

            10/16/2025 16:40:22.377 [19992]: App[2]: (8792) IIS Worker Process (), type = 5

            10/16/2025 16:40:22.377 [19992]: App[3]: (7984) IIS Worker Process (), type = 5

            10/16/2025 16:40:22.377 [19992]: Security info:

            10/16/2025 16:40:22.377 [19992]: Owner: S-1-5-18

            10/16/2025 16:40:22.377 [19992]: Group: S-1-5-18

            10/16/2025 16:40:22.377 [19992]: DACL information: 5 entries:

            10/16/2025 16:40:22.377 [19992]: ACE[0]: Type = 0x00, Flags = 010, Mask = 001f01ff, SID = S-1-5-32-544

            10/16/2025 16:40:22.377 [19992]: ACE[1]: Type = 0x00, Flags = 010, Mask = 001f01ff, SID = S-1-5-18

            10/16/2025 16:40:22.377 [19992]: ACE[2]: Type = 0x00, Flags = 010, Mask = 001200a9, SID = S-1-5-32-545

            10/16/2025 16:40:22.393 [19992]: ACE[3]: Type = 0x00, Flags = 010, Mask = 001200a9, SID = S-1-15-2-1

            10/16/2025 16:40:22.393 [19992]: ACE[4]: Type = 0x00, Flags = 010, Mask = 001200a9, SID = S-1-15-2-2

            10/16/2025 16:40:22.393 [19992]: Assembly Install: Failing with hr=80070005 at RemoveDirectoryAndChildren, line 393

            10/16/2025 16:40:22.393 [19992]: Detailed info about C:\Windows\assembly\temp\9NMYAPTAO4\Microsoft.Extensions.DependencyInjection.dll


          2. Hi Alex,
            you are right that my script does not handle errors. Definitely something I need to look into when I have time.

            Btw, this “error” does not cause the installer to fail. It is retried a couple of times and then it continues – this will cause extended installation time.
            And this is the weirdest part: the message indicates that 4 IIS worker processes are running which block the assembly update as the keep the file in use. And my script stops the w3svc service from IIS.
            So there should not be any IIS Worker Processes running…
            It looks something restarted the w3svc – or stopping the service failed – which I haven’t seen either.
            Cheers,
            Stefan


    2. I ran into the same issue on my 8 server SE farm. Make sure the Farm account is not in the Local Administrators group, Make sure the Local Service and Local System are not in the WSS_WPG group before running the binary installer.

      Reply

      1. Thanks a lot Stephen! That did the trick.

        Reply

  3. October CU apparently fixed issue with .vsd crawl-ing, introduced with September CU. Thanks!

    Cheers,

    Reply

  5. Unfortunately, new issues have emerged with Visio iFilter handling .vsdx files. While earlier problems with .vsd files appear to be resolved, .vsdx crawling has become unreliable in recent build.
    In testing, a full crawl of a document library containing a single .vsdx test file succeeded only 4 out of 10 times. When multiple copies of the same file were added to the library, the success rate dropped to roughly 1 in 10.
    Even more concerning, it takes approximately four incremental crawls just to reduce the number of uncrawled .vsdx documents by one, from the nine remaining after the initial full crawl.
    This behavior was observed on two farms running the October 2025 Cumulative Update, with Visio iFilter version 16.0.19127.20262.

    Reply

    1. Error message contains: Processing this item failed because of a IFilter parser error. ( Error parsing document ssic://[ItemId]. Error initializing IFilter for extension ‘.vsdx’ (Error code is 0x80004005). The function encountered an unknown error…..)

      Reply

      1. Hi Atis,
        my recommendation would be to open a ticket with Microsoft to ensure this is investigated.
        Cheers,
        Stefan

        Reply

  6. Hi,

    For your information, I’ve developed a script that automates the installation of cumulative updates, runs the content database upgrade in four threads, executes SPConfig.exe on each SharePoint server, and finally configures the side-by-side token.
    This script was inspired by Stefan and some great articles about SharePoint updates.
    Please test it and share your feedback.
    https://github.com/luigilink/SPSUpdate

    Take care !
    LuigiLink

    Reply

    1. The file name is PSConfig.exe

      Reply

  7. Does anyone have info and a positive report on doing the Oct CU in the case where they skipped and did not do the Sept CU after hearing it had issues?

    Reply

    1. I have successfully upgraded farms from February, August and September CU

      Reply

  8. Hi Stefan,

    In SPSE, installation of package is failing. Unable to install the Oct. 2025 patch in SPSE and SP 2016 SharePoint farm. I have removed the NT Authority\system account from WSS_WPG and IIS_IUSRS local security groups of the SharePoint machines. But still same issue.

    Could you please guide me on this.

    Thanks.

    Reply

    1. Hi Ganesh,
      check the msp installer log and search for “– Error” in the file.
      That should give you the actual error why the installation failed.
      If you need further assistance to get this resolved, please open a ticket with Microsoft Support.
      Cheers,
      Stefan

      Reply

  9. We have been running SP servers with the farm account as a local admin for quite some time. I attempted to remove it but found that search began to fail. I was not able to come to a root cause of the failure so I revert the permissions back.

    Because of the issues with the Sept patch, I skipped it.

    I would like to test using the installation account to install the binaries and run PSConfigUI.exe. This account has local admin.

    Will the October patch installation fail if the farm account is a local admin?

    Also, secondly, must the patch level of SharePoint Workflow farm be at the latest patch, or can it be latest patch-1 in order to have a successful patch?

    Thank you.

    Reply

    1. Hi Tom,
      no it will not – but for security reason the farm account should really be a low priviledge account.
      If you cannot identify the root cause yourself you might want to open a ticket with Microsoft support to identify why the farm service account has to be a local admin in your scenario.
      My assumption is that the farm service account is used for additional purposes in your farm. It should only be used to as account for OWSTIMER.EXE and the application pool account of the central admin.
      All additional services and service applications should use a different account
      Cheers,
      Stefan

      Reply

  10. I have an SP SE install with the september patch, I tried installing it overnight but the patch never progressed. I cancelled it, I noticed that “NT Authority\System” is in WSS_WGP, so I removed it and now it says “The installation of this package failed”. Do you have any idea why this may be?

    Reply

    1. Hi Daniel,
      please check the uber…msp file in the %localappdata%\temp directory and search for “– Error” in the file.
      In most cases the reason why the installation failed can be seen here.
      Cheers,
      Stefan

      Reply

      1. Thanks Stefan.

        The only error messages I think that may be relevant are lines like:

        [1520]: Assembly Install: Failing with hr=80070005 at RemoveDirectoryAndChildren, line 39
        [1520]: Assembly Install: Failing with hr=80070005 at RemoveDirectoryAndChildren, line 393
        [1520]: Assembly Install: Failing with hr=80070020 at RemoveDirectoryAndChildren, line 393
        [1520]: Assembly Install: Failing with hr=800700b7 at FusionMoveDirectory, line 3199
        [1520]: Assembly Install: Failing with hr=800700b7 at FusionMoveDirectory, line 3200
        [15688]: Assembly Install: Failing with hr=80070005 at RemoveDirectoryAndChildren, line 393
        [15688]: Assembly Install: Failing with hr=800700b7 at FusionMoveDirectory, line 3199
        [15688]: Assembly Install: Failing with hr=800700b7 at FusionMoveDirectory, line 3200

        I got it to work after about three more attempts (the successful attempt took about 3 hours to run), I also got an error message with the Wizard afterwards:

        “An exception of type Microsoft.SharePoint.PostSetupConfiguration.PostSetupConfigurationTaskException was thrown. Additional exception information:
        Number of user defined objects dropped incorrectly = ‘2554’ (EventID:ajyyy)

        User Defined Object [proc_GetVersion] Modified (EventID:ajyyz)”

        However, running PSConfig instead worked fine, so I think everything’s working as expected now.

        Reply

        1. Hi Daniel,
          these messages do not hurt. They just delay he installation.
          The second message about user defined objects dropped incorrectly is more concerning.
          But running PSConfig with all parameters should ensure that everything is fine.
          Cheers,
          Stefan

          Reply

  11. Does by any chance someone else experience that you can’t add new lines (e.g. enumeration , hit ‘enter’) to text webparts anymore which contain at least one link? Its reproducible across different sites and farms.

    Reply

  12. Anyone experiencing error with Secure Store after installing October 2025 CU?
    Exception from code like
    Microsoft.Office.SecureStoreService.Server.SecureStoreServiceException: “Unable to decrypt the credentials.”
    or
    Decrypt Failed:System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed.

    As well as issues when editing existing Secure Store Target Applications (UI):
    “Group claim validation failed.”

    Editing freshly added new Target Application works correctly.

    Does this update changes some cyphers? Cryptographic algorithms? What are the possible resolutions now?

    Reply

      1. Thank you that must be it. I didn’t see the note in September CU that “To enhance security the encryption algorithm used by the secure store service to save credentials has been update to a more secure version.
        As a side effect credentials stored with the old algorithm can no longer be decrypted.”

        So as a consequence any CU afterwards will introduce that upgraded ciphers, right?

        Reply

        1. Yes, thats correct.

          Reply

  13. Dear all, does anybody else have a high CPU usage for the two processes IIS Worker and Antimalware after the October on SharePoint SE Web Servers? In our farm (2xAPP,2xOOS,2xWFE,1xSQL) we have 100% CPU on the WFE caused by these two processes together (ca. 2/3 IIS vs. 1/3 Antimalware).

    Reply

    1. Hi Matthias,
      sounds as if your AV solution has a very expensive implementation for AMSI.
      If you enabled Full Body Scan in AMSI I would recommend to disable it as this can be a really an expensive operation. AMSI without Full Body Scan should not have a significant foot print (assuming the AV solution is properly implemented) as it does only have to scan Url and HttpHeaders which is usually around 1-2 KB.
      Cheers,
      Stefan

      Reply

  14. Hi Stefan,

    since I installed the update we have troubles with the text-webpart. If I add a new text-webpart on a page I cannot insert text. To edit an existing text-webpart is no problem. I think there might be a problem with the new feature that came with September update (we didnt install that update).

    Regards,
    Martina

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.