Sign in with Microsoft
Sign in or create an account.
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.


This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures CVE-2018-8426, Microsoft Common Vulnerabilities and Exposures CVE-2018-8428, and Microsoft Common Vulnerabilities and Exposures CVE-2018-8431.

Note To apply this security update, you must have the release version of SharePoint Enterprise Server 2016 installed on the computer.

This public update delivers Feature Pack 2 for SharePoint Server 2016, which contains the following feature:

  • SharePoint Framework (SPFx)

This public update also delivers all the features that were included in Feature Pack 1 for SharePoint Server 2016, including:

  • Administrative Actions Logging

  • MinRole enhancements

  • SharePoint Custom Tiles

  • Hybrid Auditing (preview)

  • Hybrid Taxonomy

  • OneDrive API for SharePoint on-premises

  • OneDrive for Business modern experience (available to Software Assurance customers)

The OneDrive for Business modern user experience requires an active Software Assurance contract at the time that the experience is enabled, either by installation of the public update or by manual enablement. If you don't have an active Software Assurance contract at the time of enablement, you must turn off the OneDrive for Business modern user experience.

For more information, see the following Microsoft Docs articles:

New features included in the November 2016 Public Update for SharePoint Server 2016 (Feature Pack 1)

New features included in the September 2017 Public Update for SharePoint Server 2016 (Feature Pack 2).

Improvements and fixes

This security update contains improvements and fixes for the following nonsecurity issues for SharePoint Server 2016:

  • When you upload a document to a folder in a document library by using the Microsoft Edge browser, you can't select a destination folder.

  • Assume that you set Managed Navigation for a subsite. When you navigate to a page on the subsite through the friendly URL of its term, the query variable {Page} or {Page.URL} returns an invalid URL for the page.

  • If a document is followed by a user, and its name contains special characters, you can't open the document.

  • This update addresses some issues about the SharePoint Properties Panel in Word 2016. For example, when a document is renamed or a document has required properties, you receive the following error message:

    No SharePoint properties found.

    This update also addresses the encoding issue of the document URL.

  • When you right-click an Analytic Chart or Grid in a PerformancePoint dashboard page, and then you select Filter > Top 10, you may receive the following error message:

    An unexpected error occurred.

  • This update increases the maximum length of URLs to 4,000 characters for reporting databases.

This security update contains improvements and fixes for the following nonsecurity issues for Project Server 2016:

  • You can't update the Status Manager field for a task through the Client-Side Object Model (CSOM).

  • When you create and insert a new task into a collapsed task outline in a project through the Client-Side Object Model (CSOM), the new task may be inserted at the wrong location in the project.

  • When you assign a resource to a task through the Client-Side Object Model (CSOM), this is done based on the resource name instead of pairing the resource and task GUID fields. As a result, the resource that is assigned to the task is not the one that is specified through CSOM.

  • When the scheduled Backup and Restore Timer job runs, SQL Server deadlocks occur when an archived version of the project has to be deleted before a new version can be written.

  • If a task link is created between two tasks, the dependency type of the task link can't be changed through the Client-Side Object Model (CSOM).

  • The Task IsLockedByManagerproperty can't be set through the Client-Side Object Model (CSOM).

  • You can't get the department that is associated with a custom field through the Client-Side Object Model (CSOM).

  • When you try to get an enterprise resource through the Client-Side Object Model (CSOM), the RES_ID property (the Unique ID of an enterprise resource), isn't returned in the same manner as it is through the Project Server Interface (PSI).

  • You can't return a list of template projects by using the Client-Side Object Model (CSOM) ProjectCollection.

  • You can't update a Lookup Table mask through the Client-Side Object Model (CSOM). Therefore, you can't programmatically add a value to the Lookup Table at the level that is not defined in the mask.

How to get and install the update

Method 1: Microsoft Update

This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see Windows Update: FAQ.

Method 2: Microsoft Update Catalog

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

Method 3: Microsoft Download Center

You can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.

More Information

Security update deployment information

For deployment information about this update, see security update deployment information: September 11, 2018.

Security update replacement information

This security update replaces previously released security update KB4032256.

File hash information

File name

SHA1 hash

SHA256 hash




File information

For the list of files that are included in the security update 4092459, download the file information.

How to get help and support for this security update

Help for installing updates: Windows Update: FAQ

Help for protecting your Windows-based computer from viruses and malware: Microsoft Secure

Local support according to your country: International Support

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!