The September 2024 updates fixed a security issue but this caused the web.configs needing entries for workflows to function.
SharePoint SE: Description of the security update for SharePoint Server Subscription Edition: September 10, 2024 (KB5002640) – Microsoft Support
SharePoint 2019: Description of the security update for SharePoint Server 2019: September 10, 2024 (KB5002639) – Microsoft Support
SharePoint 2016: Description of the security update for SharePoint Enterprise Server 2016: September 10, 2024 (KB5002624) – Microsoft Support
This will affect SharePoint 2010 workflows. We will see event tag ‘c42q0’ in the ULS logs. The KBs have the fix listed but this should be applied to ALL servers. This is due to any SharePoint 2010 workflows with a Pause. This will have the workflow be picked up by the Workflow timer job. OWSTimer will reference the entries in the web.config for the web application on server that is running the job.
How to fix this?
Manually add in this into every web.config for every server.
We can also utilize SharePoint’s WebConfigModifications. The PowerShell below will add in the line as described in the KBs:
<System.Workflow.ComponentModel.WorkflowCompiler> <authorizedTypes> <targetFx version="v4.0"> <authorizedType Assembly="Microsoft.SharePoint.WorkflowActions, Version=16.0.0.0, Culture=neutral, PublicKeyToken=null" Namespace="Microsoft.SharePoint.WorkflowActions.WithKey" TypeName="*" Authorized="True" /> </targetFx> </authorizedTypes>
NOTE: The script does check to see if the Owner is already added in to prevent duplicate entries. This will add in the entry for ALL web applications. This will also apply the change to all the servers.
Add-PSSnapin Microsoft.SharePoint.PowerShell # Define the modification $modification = New-Object Microsoft.SharePoint.Administration.SPWebConfigModification $modification.Path = "configuration/System.Workflow.ComponentModel.WorkflowCompiler/authorizedTypes/targetFx" $modification.Name = "authorizedType[@Assembly='Microsoft.SharePoint.WorkflowActions, Version=16.0.0.0, Culture=neutral, PublicKeyToken=null' and @Namespace='Microsoft.SharePoint.WorkflowActions.WithKey' and @TypeName='*' and @Authorized='True']" $modification.Sequence = 0 $modification.Owner = "Sept2024Workflow" $modification.Type = [Microsoft.SharePoint.Administration.SPWebConfigModification+SPWebConfigModificationType]::EnsureChildNode $modification.Value = "<authorizedType Assembly='Microsoft.SharePoint.WorkflowActions, Version=16.0.0.0, Culture=neutral, PublicKeyToken=null' Namespace='Microsoft.SharePoint.WorkflowActions.WithKey' TypeName='*' Authorized='True' />" # Get all web applications $webApps = Get-SPWebApplication foreach ($webApp in $webApps) { Write-Host "Applying changes to $($webApp.Url)" # Add the modification to the web application If($webApp.WebConfigModifications | ? {$_.owner -eq "Sept2024Workflow"}) { Write-Host "$($webapp.Url) already has fix for Sept2024Workflow. Skipping" } Else { $webApp.WebConfigModifications.Add($modification) $webApp.Update() # Apply the changes $webApp.WebService.ApplyWebConfigModifications() Write-Host "Completed changes to $($webApp.Url)" } }