Description of the security update for SharePoint Enterprise Server 2016: August 14, 2018

This security update resolves vulnerabilities in Microsoft Office that could allow information disclosure if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures CVE-2018-8378.

Note To apply this security update, you must have the release version of SharePoint Enterprise Server 2016 installed on the computer.

This public update delivers Feature Pack 2 for SharePoint Server 2016, which contains the following feature:

• SharePoint Framework (SPFx)

This public update also delivers all the features that were included in Feature Pack 1 for SharePoint Server 2016, including:

• Administrative Actions Logging
• MinRole enhancements
• SharePoint Custom Tiles
• Hybrid Auditing (preview)
• Hybrid Taxonomy
• OneDrive API for SharePoint on-premises
• OneDrive for Business modern experience (available to Software Assurance customers)

The OneDrive for Business modern user experience requires an active Software Assurance contract at the time that the experience is enabled, either by installation of the public update or by manual enablement. If you don't have an active Software Assurance contract at the time of enablement, you must turn off the OneDrive for Business modern user experience.

For more information, see New features included in the November 2016 Public Update for SharePoint Server 2016 (Feature Pack 1) and New features included in the September 2017 Public Update for SharePoint Server 2016 (Feature Pack 2).

This security update contains improvements and fixes for the following nonsecurity issues for SharePoint Server 2016:

• When a web browser makes a cross-origin resource sharing (CORS) request to a SharePoint REST API, the browser typically sends an OPTIONS preflight request to SharePoint without authentication. SharePoint returns an HTTP 401 status code response for this preflight request, which is not correct.

  With this update, SharePoint introduces the option to respond to the CORS request by sending an HTTP 200 status code, which is the correct behavior. You must run the following commands in PowerShell to enable the new behavior:

  $stsConfig = Get-SPSecurityTokenServiceConfig

  $stsConfig.ActivateOkResponseToCORSOptions = $true

  $stsConfig.Update();

• The Copy-SPSite command destroys the content type relationships in a document library. The content type settings in the document library of a new site collection are different from the settings of the source library. This issue occurs when you copy a site from the root (/) to an included URL (for example, /sites/copiedsite).

• You can’t search integer numbers from a Microsoft Excel workbook in SharePoint 2016. After you install this update, you can search integer numbers in Excel workbooks.

• This update adds better support for keyboard accessibility when you use the Item or Entity Picker dialog box of Business Connectivity Services by restoring the focus to the Browse button whenever the dialog box is closed.

• Assume that a SharePoint Server 2016 web application is using a Security Assertion Markup Language (SAML) Authentication Provider. When you request access to a site in the web application by an Active Directory Federation Services (ADFS) account, you get "Access Denied."

• The context menu of a document displays some options that the user doesn't have permissions to operate. Assume that you have only Read permission on the site, and you right-click a document in the library. The context menu of the document will display the Delete Item option. When you select the "..." column of the document, you may see Rename, Check Out, Workflows, and Shared With options.

• When a timesheet is deleted and then recreated, the actual work that's already been reported and approved doesn't reappear in the timesheet.

• A web application that has an auditing service hangs when the authentication type is changed on a separate web application.

• If there’s already a crawl running on a content source of a SharePoint Search service application when you trigger another crawl by using PowerShell on the same content source, you can’t stop the crawl on the content source through SharePoint or PowerShell. This update enables users to stop the crawl under such conditions.

This security update contains improvements and fixes for the following nonsecurity issues for Project Server 2016:

• When a SharePoint Server 2013 content database that contains Project Server sites is mounted on a SharePoint Server 2016 farm that was set up by using PowerShell cmdlets, Project Server-related database tables are not created. Therefore, the Project Server related sites cannot be opened.

• When you restore Enterprise custom fields by using the Administrative Backup and Administrative Restore features in SharePoint Server 2016 Central Administration, you experience a "ForeignKeyViolationError."

• If you set a long Duration or Work value for a task in a project and then try to achieve the value of the WorkTimeSpan property by using the Project Server 2016 client-side object model (CSOM), an overflow occurs in the WorkTimeSpan property. For example, when you set the Duration value to 75 days, the DurationTimeSpan property displays 36000. However, the WorkTimeSpan property displays -35791.3941333333.

• You receive an unknown error when you set a lookup table value for a local custom field through the Project Server 2016 client-side object model (CSOM).

• When you enter 1d in the Committed Work field for a resource engagement, the Committed Work field always displays the default 8h for 1 day instead of the project calendar setting from the Enterprise Global.

• This update makes the Task Type field and Task.IsEffortDriven property updatable through the Project Server 2016 client-side object model (CSOM).

• When you create an enterprise resource through Project Server 2016 client-side object model (CSOM), you are unable to set values for required custom fields. Therefore, you can’t create the enterprise resource.

Method 1: Microsoft Update

This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see Windows Update: FAQ.

Method 2: Microsoft Update Catalog

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

Method 3: Microsoft Download Center

You can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.

• Download security update KB 4032256 for the 64-bit version of SharePoint Enterprise Server 2016

Security update deployment information

For deployment information about this update, see security update deployment information: August 14, 2018.

Security update replacement information

This security update replaces previously released security update KB 4022228.

File hash information

File information

Download the list of files that are included in cumulative update KB 4032256.

Help for installing updates: Windows Update: FAQ

Security solutions for IT professionals: TechNet Security Support and Troubleshooting

Help for protecting your Windows-based computer from viruses and malware: Microsoft Secure

Local support according to your country: International Support