Description of the security update for SharePoint Server 2016: June 13, 2017

Applies to: SharePoint Server 2016

Summary


This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures ADV170008, Microsoft Common Vulnerabilities and Exposures CVE-2017-8509, Microsoft Common Vulnerabilities and Exposures CVE-2017-8511, Microsoft Common Vulnerabilities and Exposures CVE-2017-8512, and Microsoft Common Vulnerabilities and Exposures CVE-2017-8514.

Note To apply this security update, you must have the release version of SharePoint Server 2016 installed on the computer.

This public update delivers the first feature pack (Feature Pack 1) for SharePoint Server 2016 that contains the following features:

  • Administrative Actions Logging
  • MinRole enhancements
  • SharePoint Custom Tiles
  • Hybrid Auditing (preview)
  • Hybrid Taxonomy
  • OneDrive API for SharePoint on-premises
  • OneDrive for Business modern experience (available to Software Assurance customers)

The OneDrive for Business modern user experience requires an active Software Assurance contract at the time that it is enabled, either by installation of the public update or by manual enablement. If you don't have an active Software Assurance contract at the time of enablement, you must turn off the OneDrive for Business modern user experience. For more information, see New features included in the November 2016 Public Update for SharePoint Server 2016 (Feature Pack 1).

More information


Microsoft Office 2016 clients use modern authentication by default. In certain configurations, modern authentication isn’t supported by the Office 2016 clients with SharePoint Server 2016, such as when it is used for Active Directory Federation Services (AD FS) 3.0 installations. SharePoint administrators can now configure SharePoint Server 2016 to suppress modern authentication in Office 2016 clients.

To configure SharePoint Server 2016 to suppress modern authentication in Office 2016 clients, follow these steps to run Microsoft PowerShell commands in the SharePoint 2016 Management Shell:

  1. When you install SharePoint Server 2016, the user account from which you ran the installation is granted the appropriate permissions to run Microsoft PowerShell cmdlets. If any users have not been added to run a Microsoft PowerShell cmdlet, you can use the Add-SPShellAdmin cmdlet to add them. Before you can use the Add-SPShellAdmin cmdlet to grant permissions, verify that you meet all the following requirements:
     
    • You must have membership in the securityadmin fixed server role on the SQL Server instance.
    • You must have membership in the db_owner fixed database role on all databases that are to be updated.
    • You must be a member of the Administrators group on the server on which you are running the Microsoft PowerShell cmdlet.
  2. At the SharePoint 2016 Management Shell command prompt, type the following commands:

    $sts = Get-SPSecurityTokenServiceConfig
    $sts.SuppressModernAuthForOfficeClients = $true
    $sts.Update()
  3. Restart Internet Information Services (IIS). To do this, run the following command:

    iisreset /restart
  4. Restart the SharePoint Timer Service (SPTimerV4). To do this, run the following commands:

    Net Stop SPTimerV4
    Net Start SPTimerV4
  5. Run the following commands to verify that the change is made:

    $sts = Get-SPSecurityTokenServiceConfig
    $sts.SuppressModernAuthForOfficeClients


    The last command should return True.

Note Microsoft Office 2013 clients are also affected. We are investigating this behavior.

Improvements and fixes


This security update contains improvements and fixes for the following nonsecurity issues in Project Server 2016:
 
  • Improve the performance of the Reporting (Project Publish) queue jobs.
  • Fixes the following issues:
     
    • Consider the following scenario:
       
      • A project manager publishes a task to a team member.
      • The team member in either a timesheet or in tasks within Project Web App reports work that's earlier than what was scheduled. For example, 8 hours of work was scheduled on Wednesday but 8 hours of actual work was reported and submitted for Monday.
      • The status manager approves the update.
      • The team member zeros out the actual work and moves it to a later date.
      • The status manager approves the update.
      • The project is opened in Microsoft Project Server.
      In this situation, the task's actual start date still reflects the earlier update instead of the new update where the actual start date is later.
    • The Reporting (Project Publish) job takes longer than expected in Project Server 2016.

    • Suppose you go to the Project Center page in the Project Web app and select many projects. When you click the Open In Microsoft Project option, nothing seems to happen, and the expected master project isn't created in Project Professional. Now, when you've selected more projects than can be used to create a master project via this method, you'll see a message that resembles the following:

      Your selection exceeds the limit for the number of projects we can open at a time from Project Web App. We created a master project with the supported number of projects. You can then add additional projects by going through Insert Subproject.

    • Resources from approved engagements become local resources in Project Professional if the project manager doesn't have sufficient permissions to that resource.
    • When you add new tasks to a project while editing a project in PWA, formulas that use the Now() or CurrentDate() functions calculate incorrect results.
    • An assignment's Finish Date, Work, and Remaining Work values are wrong when team members enter material units in PWA Tasks or Timesheets views.
    • User-generated (ad hoc) custom filters that are applied to PWA views don't display data values. For example, you open a custom filter dialog box in Project Center to add a filter on a date column. After you save, close, and then reopen the dialog box, the date you set isn't displayed.
    • When you submit a status update, task-level baseline data disappears from the Tasks view for the given task assignments.

This security update contains improvements and fixes for the following nonsecurity issues in SharePoint Server 2016:

  • Translate some terms in multiple languages to make sure that the meaning is accurate.
  • Fixes the following issues:
     
    • Word documents and PowerPoint presentations that have invalid hyperlinks aren't searchable.
    • The body property of large files is dropped in Content Enrichment Web Service (CEWS). This update deletes the thresholds of the maximum body size of a document before sending it to CEWS.
    • Administrators who wish to suppress modern authentication with Office 2016 applications can now configure the SPSecurityTokenServiceConfig object when the SuppressModernAuthForOfficeClients property is set to $false.
       
      • Office 2016 clients can’t authenticate with ADFS against SharePoint Server 2016.

        Currently, Office 2016 clients and SharePoint Server 2016 use the Modern Authentication protocol to communicate. In certain scenarios, Modern Authentication isn’t supported by the Office 2016 clients, such as with ADFS installations. We’ve made improvements so that SharePoint administrators can now configure SharePoint to suppress Modern Authentication in Office 2016 clients in the June 2017 PU, final version.

        To configure SharePoint Server 2016 to suppress Modern Authentication in Office 2016 clients, run the following Windows PowerShell syntax in SharePoint 2016 Management Shell:
         
        1. Before you can use the Add-SPShellAdmin cmdlet to grant permissions for users to run SharePoint Server 2016 cmdlets, verify that you meet all the following minimum requirements:
          • You must have membership in the securityadmin fixed server role on the SQL Server instance.
          • You must have membership in the db_owner fixed database role on all databases that are to be updated.
          • You must be a member of the Administrators group on the server on which you are running the Windows PowerShell cmdlet.
        2. At the Windows PowerShell command prompt, type the following commands:

          Add-pssnapin Microsoft.sharepoint.powershell.dll
          $sts = get-SPSecurityTokenServiceConfig
          $sts.SuppressModernAuthForOfficeClients = $true
          $sts.Update()
        3. Type iisreset /restart to restart IIS.
        4. Type Net stop sptimerv4, and then type Net start sptimerv4 to restart the SPTimerService.
        5. In Windows PowerShell, run the following command to verify that the change persisted:

          Note If you have closed the previous Windows PowerShell session then you must run the following command as shown. If you are in the same session, then you do not have to run the "Add-pssnapin Microsoft.sharepoint.powershell.dll" command again.

          Add-pssnapin Microsoft.sharepoint.powershell.dll
          $sts = get-SPSecurityTokenServiceConfig
          $sts.SuppressModernAuthForOfficeClients
        Note Office 2013 clients are also affected. Microsoft is researching this problem and will post more information in this article when the information becomes available.
    • The SPFile.Author property now has a value for installations after migrating from the classic-mode authentication to claims-based mode authentication.
    • SPWebApplication FileNotFoundPage is not displayed correctly in some web browsers.
    • Server-side defined timesheet view grouping doesn't work with custom fields.
    • After you delete a search center sub site, you can't download search reports from site settings.
    • When there are more than 100 site collections, you can see paging on the Tenant Admin page (TA_SiteCollections.aspx).
    • Metadata navigation does not work for task lists.

How to get and install the update


Method 1: Microsoft Update

Method 2: Microsoft Update Catalog

Method 3: Microsoft Download Center

More Information


Security update deployment information

For deployment information about this update, see security update deployment information: June 13, 2017.

Security update replacement information

This security update replaces previously released security update KB3191880.

File hash information

Package Name Package Hash SHA 1 Package Hash SHA 2
sts2016-kb3203432-fullfile-x64-glb.exe 41CC4C6FEC4889D137834B673FF1DF44B95489F4 BA03B641F0359473BB36464B07AA5A354F02C807C3B404B57D617355CC23C49B

File information

For a list of the files that are provided in this update KB3203432, download the file information for update KB3203432.  

How to get help and support for this security update


Help for installing updates: Windows Update FAQ

Security solutions for IT professionals:
TechNet Security Support and Troubleshooting

Help for protecting your Windows-based computer from viruses and malware:
Microsoft Secure

Local support according to your country:
International Support

Propose a feature or provide feedback on SharePoint: SharePoint User Voice portal