Description of the security update for SharePoint Server 2016: November 14, 2017

This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures CVE-2017-11876 and Microsoft Common Vulnerabilities and Exposures ADV170020.

Note To apply this security update, you must have the release version of SharePoint Server 2016 installed on the computer.

This public update delivers Feature Pack 2 for SharePoint Server 2016, which contains the following feature:

• SharePoint Framework (SPFx)

This public update also delivers all the features previously included in Feature Pack 1 for SharePoint Server 2016, including:

• Administrative Actions Logging
• MinRole enhancements
• SharePoint Custom Tiles
• Hybrid Auditing (preview)
• Hybrid Taxonomy
• OneDrive API for SharePoint on-premises
• OneDrive for Business modern experience (available to Software Assurance customers)

The OneDrive for Business modern user experience requires an active Software Assurance contract at the time that it is enabled, either by installation of the public update or by manual enablement. If you don't have an active Software Assurance contract at the time of enablement, you must turn off the OneDrive for Business modern user experience.

For more information, see New features included in the November 2016 Public Update for SharePoint Server 2016 (Feature Pack 1) and New features included in the September 2017 Public Update for SharePoint Server 2016 (Feature Pack 2).

This security update contains the following improvements and fixes the following nonsecurity issues in SharePoint Server 2016:

• The UPN of an account is used instead of the SMTP email address in some scenarios. For example, this issue occurs when you share a file in OneDrive for Business or you create an alert on another user's blog for the first time.

• Changes the following Health Analyzer rules.

  After you install this update, by default these three rules will be reset from ON to OFF, unless you have configured the rules or made changes to the rules:
  • Health Analyzer: Accounts used by application pools or service identities are in the local machine Administrators group (SharePoint Server)
  • Health Analyzer: Databases running in compatibility range, upgrade recommended (SharePoint Server)
  • Health Analyzer: Databases exist on servers running SharePoint Foundation (SharePointServer)

• When you try to add a user to a site by using the Site Users Web Part, the Sharing dialog box is not loaded.

• When you click a term and the Term-Driven Page with Friendly URLs option is selected, you receive a PageNotFound error if the URL includes an ampersand (&).

• When you update terms in SharePoint Server 2016, you receive the following error message:

  This operation cannot be completed. The term store may be unavailable.

• Health analyzer does not remove apps stuck in the installing state.

• Hybrid self-service site creation redirects the default Self-Service Site Creation (SSSC) page in SharePoint Server 2016 to the SharePoint Online site creation experience. After you install this update, you can enable users to create their sites in SharePoint Online instead of in SharePoint Server. You can also target this redirection experience based on audience, allowing hybrid-enabled users to create sites in SharePoint Online while other users continue to create sites on-premises.

• Starting with the May 2017 Public Update for SharePoint 2013, the Secure Store schema version number in SharePoint 2013 is higher than the one in SharePoint Server 2016, and this prevents a version-to-version upgrade. This update fixes the Secure Store schema version in SharePoint Server 2016 to unblock Secure Store upgrade from SharePoint Server 2013.

• When you visit another user's OneDrive, the menu shows an incorrect user name instead of yours.

• Renames the following two Health Analyzer rules titles for better wording:

  • "Health Analyzer: Some health analyzer rules do not have associated timer jobs" is renamed as "Health Analyzer: Some Health Analyzer rules are enabled but do not have any associated timer jobs."

  • Health Analyzer: Databases exist on servers running SharePoint Foundation is renamed as "Health Analyzer: Databases exist on servers running SharePoint."

• An incorrect user name is displayed in OneDrive if there is an ampersand character (&) in the user name.

• You can now edit the SharePoint properties of a document directly in the Microsoft Word client through the SharePoint Properties panel. This experience requires a version of Microsoft Word that supports this functionality, such as the version that is included in Microsoft Office 365.

• Some SharePoint features impersonate end users when sending email to personalize the message. For example, when a user requests access to a site, SharePoint will set the "From" address of the email notification as the user who made the request.

  Some SMTP servers may block impersonation to protect users from unauthorized attempts to spoof their identities. If your SMTP server blocks impersonation, you can now configure each SharePoint web application to disable this behavior. This will ensure that SharePoint always uses the "From" address that is specified at the web application level.

  Follow these steps to disable SharePoint email impersonation:

  1. Launch the SharePoint 2016 Management Shell.

  2. Run the following commands:

     $webapp = Get-SPWebApplication WebApplicationURL

     $webapp.OutboundMailOverrideEnvelopeSender = $true

     $webapp.Update()

• Fix a word wrap issue for the Polish version of SharePoint Server 2016.

• Translate some terms in multiple languages to make the meaning accurate.

• Some browsers are unable to download files from SharePoint that have file names that include double-byte characters.

• Update copies and overwrite of minor version of documents from the ribbon or document library improvements is blocked.

• Some files (.docx) that are indexed by search and parsed by using IFilters are not searchable and discoverable. This issue occurs because tab characters are ignored, and text is concatenated instead of proper spacing between them.

• Fix a typo for the German version of SharePoint Server 2016.

This security update contains the following improvements and fixes the following nonsecurity issues in Project Server 2016:

• When a Project Server lookup table is created and details are added, nothing is displayed for the resource in Resource Center > Capacity Planning.

• After you change the SharePoint farm authentication realm, Project Server workflows stop progressing and go into suspended mode.

• If the previous publish is failed, the publishing of the master project is blocked.