Important: This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.
Symptoms
After you install the following September security updates for Microsoft SharePoint Server, some Microsoft SharePoint 2010 workflow scenarios might be blocked:
-
Description of the security update for SharePoint Foundation 2013: September 13, 2022 (KB5002267)
-
Description of the security update for SharePoint Server 2019: September 13, 2022 (KB5002258)
Additionally, event tags "c42q8," "c42ra," and "c42rh" are logged in SharePoint Unified Logging System (ULS) logs.
Cause
To strengthen its security, SharePoint no longer trusts all types in the System.Workflow.Activities and System.Workflow.ComponentModel assemblies as authorized types by default. Instead, individual types from these assemblies have been added as authorized or unauthorized. If a SharePoint 2010 workflow relies on a type that is no longer authorized, users will see the behavior described in the "Symptoms" section of this article.
Workaround
Note: The out-of-box features and their dependencies of SharePoint Server rely on the default settings in the web.config file. If your SharePoint Server does not have any custom code or components deployed, it should not be necessary to introduce any changes to the web.config. If you find any out-of-box features that are still affected with default web.config, please open a support ticket for us to help investigate and address the issues.
Warning: Types that are in the AuthorizedTypes list of SharePoint’s Web.config file have gone through security review and are considered safe for use by the SharePoint 2010 workflow engine. You should run a security review of any types that you want to add to the list to make sure that they are safe for use in your environment.
If a SharePoint 2010 workflow relies on a type that is no longer authorized, you can add it as an authorized type to the <configuration/System.Workflow.ComponentModel.WorkflowCompiler/authorizedTypes> node in the Web.config file of your web applications.