With the most recent security updates released this month, Microsoft has introduced an issue for some Windows Server users. The KB5065426 update was released a few days ago, including not only security fixes, but also new features.

The unexpected payload, however, is the appearance of a problem with active Directory. Microsoft summarizes the problem in an advisory notice entitled “Directory synchronization fails for AD security groups exceeding 10,000 members”.

Explaining the issue in a posting to the Windows release health pages, Microsoft says:

Applications that use the Active Directory directory synchronization (DirSync) control for on-premises Active Directory Domain Services (AD DS), such as when using Microsoft Entra Connect Sync, can result in incomplete synchronization of large AD security groups exceeding 10,000 members. This issue occurs only on Windows Server 2025 after installing the September 2025 Windows security update (KB5065426), or later updates.

The company has not given any indication of how many users may have been affected by this issue, but says that it is working on a fix. As there is not a full solution to the problem as yet, Microsoft has provided details of a workaround.

By editing the registry, it is possible for affected users to disable the changes introduced by this latest update.

Microsoft says:

Affected customers can apply the following registry key to disable the feature change. Warning: Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. For more information, see Windows registry for advanced users.

The tweak that needs to be applied in the registry editor is as follows:

Path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides Name: 2362988687 Type: REG_DWORD Value: 0 Microsoft has also acknowledged the problem in the Known Issues section of the KB5065426 update: After installing this update, applications that use the Active Directory directory synchronization (DirSync) control for on-premises Active Directory Domain Services (AD DS), such as when using Microsoft Entra Connect Sync, can result in incomplete synchronization of large AD security groups exceeding 10,000 members.

A proper fix will be delivered in due course.

Image credit: Davide Bonaldo / Dreamstime.com