This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures CVE-2018-8323, Microsoft Common Vulnerabilities and Exposures CVE-2018-8299, and Microsoft Common Vulnerabilities and Exposures CVE-2018-8300.
Note To apply this security update, you must have the release version of Microsoft SharePoint Server 2016 installed on the computer.
This public update delivers Feature Pack 2 for SharePoint Server 2016, which contains the following feature:
SharePoint Framework (SPFx)
This public update also delivers all the features that were included in Feature Pack 1 for SharePoint Server 2016, including:
Administrative Actions Logging
SharePoint Custom Tiles
Hybrid Auditing (preview)
OneDrive API for SharePoint on-premises
OneDrive for Business modern experience (available to Software Assurance customers)
The OneDrive for Business modern user experience requires an active Software Assurance contract at the time that the experience is enabled, either by installation of the public update or by manual enablement. If you don't have an active Software Assurance contract at the time of enablement, you must turn off the OneDrive for Business modern user experience.
For more information, see New features included in the November 2016 Public Update for SharePoint Server 2016 (Feature Pack 1) and New features included in the September 2017 Public Update for SharePoint Server 2016 (Feature Pack 2).
Improvements and fixes
This security update contains improvements and fixes for the following nonsecurity issues in SharePoint Server 2016:
You can now add a site column that's based on an external list to a custom list.
You experience an error when you use the External Content type-based site column. In this situation, you cannot add a site column that is based on an external list to a list. After you install this update, you must remove the site column, and then add the site column again.
The SuppressModernAuthForOfficeClients property does not work for Outlook calendar synchronization. In this situation, the calendar does not synchronize with SharePoint Server. This issue occurs because SharePoint Server issues a modern authentication to on-premises Outlook clients. After you install this update, SharePoint Server will no longer issue a modern authentication to the clients.
A user whose name contains a comma cannot be resolved in the Quick Edit menu in SharePoint Server 2016.
A farm administrator whose name contains a period can't upgrade SharePoint Apps.
When a farm administrator creates a search service application by using PowerShell, the database owner of the search service application database is the farm administrator and not the farm account that is used to run the timer service. The database owner of all databases should be the farm account. This update changes the owner of search-related databases to be the farm account.
This security update contains improvements and fixes for the following nonsecurity issues in Project Server 2016:
The ReadResourcePlan API is now available even if the Resource Engagements feature is enabled.
It takes a long time to process tasks in a project through the client-side object model (CSOM) APIs in Project 2016.
Local custom date type fields that have a formula and have the calculation for the task and group summary rows option set to minimum or maximum are not rolled up correctly to summary tasks when you update a project in Project Web App.
It takes a long time to load entities such as tasks, resources, and assignments through the client-side object model (CSOM) APIs if custom fields exist.
When you use the Chrome browser to open a project from the Project Center where the project name includes spaces, you receive the following error message:
Project Web App was unable to find the specified Project.
Additionally, you receive the following error message:
Sorry, we were unable to open your project. Please try again. If this happens again, contact your administrator.
After you apply this update (4022228), the PSConfig tool may fail and generate the following error messages:
An exception of type Microsoft.SharePoint.PostSetupConfiguration.PostSetupConfigurationTaskException was thrown. Additional exception information:
Upgrade [SearchAdminDatabase Name=SEARCH_DB] failed. (EventID:an59t)
Exception: The database principal owns a database role and cannot be dropped. The proposed new database owner is already a user or aliased in the database. (EventID:an59t)
Upgrade Timer job is exiting due to exception: System.Data.SqlClient.SqlException (0x80131904): The database principal owns a database role and cannot be dropped. The proposed new database owner is already a user or aliased in the database.
To fix a permission issue that is caused by provisioning the Search Service Application with PowerShell, this update (4022228) includes a change to re-link the "dbo" user to the farm service account for the search databases. However, the farm service account may already own the SPSearchDBAdmin database role, or other database roles, in some SharePoint farms. This prevents dropping the account in SQL Server and causes the PSConfig tool to fail.
Note This can affect any of the search databases of a Search Service Application.
To work around this issue, use SQL Server Management Studio to review the database roles of each Search Service Application database. If you find a database role whose owner isn't "dbo," manually change the owner of the database role to "dbo." Then you can run the PSConfig tool again.
Microsoft is aware of this issue. The change has been removed from the August 2018 update, and we are working on permanent fix that will be released in a future update.
How to get and install the update
Method 1: Microsoft Update
This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see Windows Update: FAQ.
Method 2: Microsoft Update Catalog
To get the stand-alone package for this update, go to the Microsoft Update Catalog website.
Method 3: Microsoft Download Center
You can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.
Security update deployment information
For deployment information about this update, see security update deployment information: July 10, 2018.
Security update replacement information
This security update replaces previously released security update 4022173.
File hash information
For a list of the files that are provided in this security update 4022228, download the file information.
How to get help and support for this security update
Help for installing updates: Windows Update: FAQ
Security solutions for IT professionals: TechNet Security Support and Troubleshooting
Help for protecting your Windows-based computer from viruses and malware: Microsoft Secure
Local support according to your country: International Support
Third-party information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.