To enhance security September 2025 CU for SharePoint restricts the Windows WSS_WPG windows security group and the IIS_IUSRS windows security group from writing into the SharePoint _LAYOUTS directory (c:\program files\common files\microsoft shared\Web Server Extensions\16\TEMPLATE\LAYOUTS).
As the SharePoint Configuration wizard adds the local system account of Windows (NT Authority\system) to the WSS_WPG windows security group, future fixes fail to install.
Reference:
Solution:
October 2025 CU for SharePoint Server 2016, 2019 and Subscription Edition includes a fix for this issue:
- SP2016: October 2025 CU for SharePoint Server 2016
- SP2019: October 2025 CU for SharePoint Server 2019
- SPSE: October 2025 CU for SharePoint Server Subscription Edition
October 2025 CU reverts the change and unsets the deny write permissions from WSS_WPG and IIS_IUSRS groups on the LAYOUTS folder to prevent this issue.
If September 2025 CU was installed before this fix, it is necessary to manually remove the local system account from the WSS_WPG and IIS_IUSRS security group before applying October 2025 CU – otherwise October 2025 CU cannot be installed.
Permalink
Greetings, Stefan. We refrained from installing the Sept CU for SharePoint 2019 due to the multiple issues identified. For this issue, do we need to perform the remediation steps of changing the accounts for the Claims To Windows Token Service and the Document Launcher Conversion service as well or can we just proceed with installing the October 2025 CU? Thank you.
-Daniel
Permalink
I was going to ask the same question, thanks.
Permalink
Hi JV,
no that is not required. If September 2025 CU was not installed you can install October CU and you will not run into these issues.
The code that caused this has been reverted.
Cheers,
Stefan
Permalink
Hi Daniel,
no that is not required. If September 2025 CU was not installed you can install October CU and you will not run into these issues.
The code that caused this has been reverted.
Cheers,
Stefan
Permalink
Hello Stefan,
First of all, thanks a lot for this! I was struggling to understand why I cannot install October CU. We have already installed September 2025 CU.
May I ask you something? I see the account NT Authority\system only in the WSS_WPG and not on the IIS_IUSRS group.. Do I just remove it from WSS_WPG and that would do it?
Also should I do this removal from all servers in the farm I guess.. correct?
Thanks!!
Alex
Permalink
Hi Alex,
yes that is correct. SharePoint only adds it to the WSS_WPG group but if it would have been added to IIS_IUSRS through other means it would have caused the same problem.
thats why I asked to check here as well.
And yes: you need to remove it on all servers.
Cheers,
Stefan
Permalink
Thanks for keeping us up to date on all of this!
If we haven’t yet done so, do you still recommend that we reconfigure the “Claims to Windows Token Service”, “Document Conversions Launcher Service”, and “Document Conversions Load Balancer Service” services to use domain accounts rather than the “Local Service” account (including starting the disabled services to allow the one-time time job to update the Windows service’s “Log On” account), or is that no longer necessary now that the change has been reverted?
Permalink
Hi Peter, no – not at this time.
Cheers,
Stefan
Permalink
Hello Stefan
After removing NT Authority\system from WSS_WPG and applying the sharepoint Oct25 updates successfully, do you need to put back NT Authority\system from WSS_WPG ?
Permalink
Hi Emmanuel,
no this is not necessary. The SharePoint configuration wizard will add the accounts if required after installing the fix.
Cheers,
Stefan
Permalink
Hi Stefan,
After removing the local system account from the WSS_WPG, I am able to install the Oct 2025 CU for Sharepoint 2016.
Do I need to readd the local system account back to WSS_WPG group afterwards?
Permalink
Hi Riley,
no this is not necessary. The SharePoint configuration wizard will add the accounts if required after installing the fix.
Cheers,
Stefan
Permalink
Hi Stefan,
I have created a blog entry for anyone who wants to check or remove the local system and local service accounts from the WSS_WPG and IIS_IUSRS groups dynamically. Here it is for those who can benefit from it:
https://www.sharepointpain.com/2025/10/installation-of-sts-and-wssexe-failed.html
Cheers,
Samson
Permalink
Hi Stefan,
I checked the WSS_WPG group and NT Authority\system was not a member. I checked IIS_IUSRS and NT Authority\local service was a member and was removed. NT Authority\system was not a member.
Despite the above any attempt to install the Oct 2025 CU fails.
Any help would be appreciated.
Permalink
Hi Steve,
ok, in this case check the msp installer log of the fix. It is in %localappdata%\temp. Inside search for “– Error”.
The reason why installation fails is usually identified here.
Cheers,
Stefan
Permalink
you might have ran the KB as an admin, try opening it normally not “Run as an admin”.
Permalink
Hello Stefan,
one question from my side, please: all those changes in the security from September – which caused quite some issues – will they get back somehow in the (near) future? Are they then better documented that a script could help to make the changes in the specific local groups and in SharePoint itself possible?
Best regards
Gerald
Permalink
Hi Gerald,
if the changes come back (it has not been decided), then only after these problems are resolved – either by the installer itself – or by providing clear guidance to customers.
Cheers,
Stefan
Permalink
Thank you!!! 🙂
Permalink
Stefan – after installing KB5002784 the search feature is broken even though we have continuous crawl enabled. To get searching working again I enabled incremental crawls which makes the front ends unresponsive when the crawls kick off. I was hoping KB5002786 would fix the searching issue and reenabled continuous crawls but unfortunately my search function is broken again.
Is there a fix for continuous crawls after the September patch?
Thanks,
Franklin
Permalink
Hi Franklin,
I’m not aware of such an issue or a fix in the pipeline.
Did you open a support case for this with Microsoft?
Cheers,
Stefan
Permalink
Thank you for the reply. Yes, I do have a case open and am awaiting a response.
Permalink
Hi Franklin,
Hope you are doing good! Please let me know if you get any resolution for search..
In my tenant also Incremental and Full are not crawling automaticatically.
Appreciate for your quick response and help
Permalink
This debacle really makes me wonder about the competency of the software developers that Microsoft is employing. This problem seems pretty elementary and obvious, not to mention it would have showed up if they performed even the most basic testing.