Description of the security update for SharePoint Server 2016: July 10, 2018

Applies to: SharePoint Server 2016


This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures CVE-2018-8323, Microsoft Common Vulnerabilities and Exposures CVE-2018-8299, and Microsoft Common Vulnerabilities and Exposures CVE-2018-8300.

Note To apply this security update, you must have the release version of Microsoft SharePoint Server 2016 installed on the computer.

This public update delivers Feature Pack 2 for SharePoint Server 2016, which contains the following feature:

  • SharePoint Framework (SPFx)

This public update also delivers all the features that were included in Feature Pack 1 for SharePoint Server 2016, including:

  • Administrative Actions Logging
  • MinRole enhancements
  • SharePoint Custom Tiles
  • Hybrid Auditing (preview)
  • Hybrid Taxonomy
  • OneDrive API for SharePoint on-premises
  • OneDrive for Business modern experience (available to Software Assurance customers)

The OneDrive for Business modern user experience requires an active Software Assurance contract at the time that the experience is enabled, either by installation of the public update or by manual enablement. If you don't have an active Software Assurance contract at the time of enablement, you must turn off the OneDrive for Business modern user experience.

For more information, see New features included in the November 2016 Public Update for SharePoint Server 2016 (Feature Pack 1) and New features included in the September 2017 Public Update for SharePoint Server 2016 (Feature Pack 2).

Improvements and fixes

This security update contains improvements and fixes for the following nonsecurity issues in SharePoint Server 2016:

  • You can now add a site column that's based on an external list to a custom list.
  • You experience an error when you use the External Content type-based site column. In this situation, you cannot add a site column that is based on an external list to a list. After you install this update, you must remove the site column,  and then add the site column again.

  • The SuppressModernAuthForOfficeClients property does not work for Outlook calendar synchronization. In this situation, the calendar does not synchronize with SharePoint Server. This issue occurs because SharePoint Server issues a modern authentication to on-premises Outlook clients. After you install this update, SharePoint Server will no longer issue a modern authentication to the clients.

  • A user whose name contains a comma cannot be resolved in the Quick Edit menu in SharePoint Server 2016.

  • A farm administrator whose name contains a period can't upgrade SharePoint Apps.

  • When a farm administrator creates a search service application by using PowerShell, the database owner of the search service application database is the farm administrator and not the farm account that is used to run the timer service. The database owner of all databases should be the farm account. This update changes the owner of search-related databases to be the farm account.

This security update contains improvements and fixes for the following nonsecurity issues in Project Server 2016:

  • The ReadResourcePlan API is now available even if the Resource Engagements feature is enabled.
  • It takes a long time to process tasks in a project through the client-side object model (CSOM) APIs in Project 2016.

  • Local custom date type fields that have a formula and have the calculation for the task and group summary rows option set to minimum or maximum are not rolled up correctly to summary tasks when you update a project in Project Web App.

  • It takes a long time to load entities such as tasks, resources, and assignments through the client-side object model (CSOM) APIs if custom fields exist.

  • When you use the Chrome browser to open a project from the Project Center where the project name includes spaces, you receive the following error message: 

    Additionally, you receive the following error message: 

Known issues


After you apply this update (4022228), the PSConfig tool may fail and generate the following error messages: 


To fix a permission issue that is caused by provisioning the Search Service Application with PowerShell, this update (4022228) includes a change to re-link the "dbo" user to the farm service account for the search databases. However, the farm service account may already own the SPSearchDBAdmin database role, or other database roles, in some SharePoint farms. This prevents dropping the account in SQL Server and causes the PSConfig tool to fail.

Note This can affect any of the search databases of a Search Service Application.


To work around this issue, use SQL Server Management Studio to review the database roles of each Search Service Application database. If you find a database role whose owner isn't "dbo," manually change the owner of the database role to "dbo." Then you can run the PSConfig tool again.


Microsoft is aware of this issue. The change has been removed from the August 2018 update, and we are working on permanent fix that will be released in a future update.

How to get and install the update

Method 1: Microsoft Update

This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see Windows Update: FAQ.

Method 2: Microsoft Update Catalog

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

Method 3: Microsoft Download Center

You can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.

Download icon
Download security update 4022228 for the 64-bit version of SharePoint Server 2016

More Information

Security update deployment information

For deployment information about this update, see security update deployment information: July 10, 2018.

Security update replacement information

This security update replaces previously released security update 4022173.

File hash information

File name SHA1 hash SHA256 hash
sts2016-kb4022228-fullfile-x64-glb.exe 13349FAA1129960EDE99FD515C30ABB96FF97D67 EC7C6D23E34328B6543D8D28CF2BFB6B8266FC5F332206B0A2A54B3F10C017B7

File information

For a list of the files that are provided in this security update 4022228, download the file information.

How to get help and support for this security update

Help for installing updates: Windows Update: FAQ

Security solutions for IT professionals: TechNet Security Support and Troubleshooting

Help for protecting your Windows-based computer from viruses and malware: Microsoft Secure

Local support according to your country: International Support