Share via

User Profile Sync stuck in "Starting" after October 2025 Security Hardening

Meadows Bali 40 Reputation points
2026-02-11T09:23:23.1966667+00:00

Following the application of the October 2025 security updates and subsequent GPO hardening on our Windows Server 2019 nodes, the User Profile Incremental Synchronization has failed. In Central Administration, the "User Profile Synchronization Service" is stuck in the "Starting" phase indefinitely. Despite multiple server reboots and attempts to re-provision the service via PowerShell, the synchronization engine (MIM/FIM) fails to initialize the handshake with Active Directory

Microsoft 365 and Office | SharePoint Server | Development
0 comments
Answer accepted by question author
  1. Kudos-Ng 14,230 Reputation points Microsoft External Staff Moderator
    2026-02-11T12:01:31.12+00:00

    Hi Meadows Bali,

    Thank you for posting your question in the Microsoft Q&A forum.

    Based on the symptoms you described, I found a similar thread where the user performed extensive, deep troubleshooting but was still unable to resolve the issue. This suggests that the problem is quite complex and likely requires the involvement of a Microsoft Support Engineer to investigate further at the backend level.

    Please note that this is a user-to-user support forum. Moderators, contributors, and external Microsoft employees participating here do not have access to backend systems or the ability to intervene directly in Microsoft product features. Our role is limited to offering technical guidance and sharing best practices based on reported issues.

    Therefore, the first step I recommend is to create a support ticket with Microsoft’s Support team directly. Advanced configuration tasks of this nature require specialists who have access to the appropriate diagnostic tools and can provide real-time guidance to ensure accuracy and prevent errors. You can submit a support request here: https://support.serviceshub.microsoft.com/supportforbusiness/onboarding?origin=/supportforbusiness/create

    Additional Technical Insights:

    While a support ticket is the best path forward, I want to provide some technical context that may be relevant to your situation after the October 2025 updates:

    As documented in recent community posts (e.g., Stefan Gossner's Blog and Cloudwell), the September/October 2025 updates introduced a security hardening measure that denies write permission by default for the WSS_WPG and IIS_IUSRS groups on the LAYOUTS folder.

    Note: This information is provided as a convenience to you. These sites are not controlled by Microsoft, and Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please ensure that you fully understand the risks before using any suggestions from the above link.

    Regarding the User Profile Synchronization Service (UPSS):

    • The UPSS must run under the Farm Account (e.g. DOMAIN\sp_farm,), which is a domain account.
    • However, the Farm Account is automatically a member of the local WSS_WPG group on the server.
    • Because an Explicit Deny on a group typically overrides an "Allow" permission in Windows, the initialization of the UPSS engine (which needs to write temporary configuration/certificate data to system folders) may be blocked.

    While Microsoft released a fix for SharePoint Server 2016 (KB5002805) to relax this restriction, a similar universal patch for SharePoint 2019 or Subscription Edition (SE) has not been as widely reported.

    Potential Workaround (Consider with Caution): One approach to consider is manually granting Explicit Allow (Full Control/Write) to the Farm Account specifically on the LAYOUTS folder.

    Note of Caution: Since modifying system folder permissions may interfere with the security posture Microsoft intended to apply, I strongly recommend performing such actions under the supervision of a live Microsoft Support agent to avoid any unforeseen security risks or system instability.

    I hope this information is helpful for your investigation.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".     

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-02-11T09:23:38.7466667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    If the User Profile Synchronization Service is stuck in the "Starting" phase after applying security updates and GPO hardening, it may be related to the synchronization settings or the service account used for synchronization. Here are some troubleshooting steps you can consider:

    1. Check Service Account: Ensure that the account used for the User Profile Synchronization Service has the necessary permissions and is not disabled. You can verify this in Active Directory Users and Computers.
    2. Service Restart: Sometimes, simply restarting the User Profile Synchronization Service from the SharePoint Central Administration can help. If it remains stuck, you may need to restart the server hosting the service.
    3. Review Event Logs: Check the event logs on the server for any errors related to the User Profile Synchronization Service. This can provide insights into what might be causing the service to hang.
    4. PowerShell Commands: If you are attempting to re-provision the service via PowerShell, ensure that you are using the correct commands and that the SharePoint Management Shell is running with elevated permissions.
    5. Secure Channel: Since synchronization often includes sensitive information, ensure that the synchronization operations are performed over a secure channel (HTTPS or LDAPS) to avoid any potential issues related to security hardening.
    6. Check for Updates: Ensure that you have the latest updates for SharePoint and any relevant components that may affect the synchronization process.

    If these steps do not resolve the issue, further investigation may be required to identify any specific conflicts introduced by the security hardening or updates applied.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.