SharePoint Patching Best Practices

If you only have 2 minutes, read the summary below. It documents the best practices discussed in this article in short statements. If you have more time, you should also read the rest of this article which gives more background information on the different topics.

Summary

General recommendations

  • Evaluate and install all SharePoint security updates as soon as possible and install them shortly after they have been released
  • Evaluate all SharePoint updates in a test environment which resembles the production environment before installing them in production
  • Take backups before installing SharePoint updates
  • For virtual servers you can take snapshots of all machines in the farm (important: only “cold” snapshots are supported – see below for more details) before installing new updates
  • If you are using the command line tool PSCONFIG.EXE instead the SharePoint Configuration Wizard be sure to specify all required parameters
  • After installing an additional language pack install the latest monthly update (for SharePoint Server 2016 and 2019 only the language dependent fix) again to ensure that the newly installed language components are upgraded to the same patch level as the rest of the farm
  • Keep Workflow Manager patching in sync with SharePoint patching
  • Last but not least: consider migrating your on-premises SharePoint farm to SharePoint in Microsoft 365 – here the complete patching effort and various other administrative tasks are handled by Microsoft for you.

SharePoint 2007 and SharePoint 2010

  • These versions of SharePoint are out of support and no updates (including security updates) are released for these versions anymore. Continuing to run SharePoint 2007 or 2010 in production workloads puts your data at risk. Microsoft recommends upgrading to a supported version immediately.

SharePoint 2013

  • SharePoint 2013 will go out of support in April 2023. Plan to upgrade to SharePoint Server 2019 or SharePoint Server Subscription Edition. The newer versions of SharePoint Server improve the patching experience significantly:
    • Simplified packaging model (only 2 different packages to install compared to 30+ in earlier versions)
    • Shorter patching time (due to the simplified consolidated packaging model)
    • Zero-downtime patching (no maintenance window required)
    • Patching using Side-by-side functionality
  • Reduce patching time to a fraction using Russ Maxwell’s PowerShell script
  • Apply the full server packages (also known as Uber packages) rather than individual fixes
  • Be aware that SharePoint Server 2013 and 2016 are in extended support and mainly security updates are released for these SharePoint versions. To get all the latest product improvements including non-security updates, upgrade to SharePoint Server 2019 or even better SharePoint Server Subscription Edition.
  • Patch levels older than April 2018 CU are no longer supported

SharePoint Server 2016, 2019 and Subscription Edition

SharePoint Patching Best Practices

Patching SharePoint can be challenging for SharePoint administrators for several reasons including the following:

  • Historically SharePoint consisted of a large number of components which could be patched independently
  • SharePoint patching requires two independent steps (installing the binaries and upgrading the databases)
  • SharePoint patch level needs to be in sync between different servers in the same SharePoint farm
  • SharePoint patching time is hard to predict and sometimes can take several hours
  • Microsoft recommends installing security updates as soon as possible to protect your environment from security vulnerabilities that others may try to exploit
  • There may be concerns that installing a SharePoint update could impact existing functionality
  • SharePoint updates cannot be uninstalled – so if something goes wrong there is no easy way to roll it back
  • Unlike other products like Windows or Office, it can be complex to automate the deployment of SharePoint updates across a farm

This article discusses several best practices and considerations for SharePoint administrators to simplify this process.

Best Practices around Security Updates

How quickly should security updates be installed?

Security updates should be installed as soon as possible after they are released – preferably within a couple of days. The longer your SharePoint environments operate without the latest security updates, the more risk you have that they could be compromised via an unpatched security vulnerability.

Do packages marked as security update only contain security related fixes?

No. SharePoint updates are cumulative, so each security update includes all fixes that have been released for both security and non-security related issues up to that point for the patched component.

Is it ok to install only the security updates and not the non-security updates released monthly?

Although it is supported to install only those packages which include the security updates it is recommended to keep SharePoint Server fully updated by installing the latest SharePoint updates regardless of whether they’re security or non-security updates. However, it is less urgent to install non-security updates quickly after they’re released unless you are impacted by one of the issues fixed in that update.

With SharePoint server 2016, 2019 and Subscription Edition only two SharePoint update packages (one package which includes fixes for all language independent components like executables and one package which includes fixes for all language dependent components like resource files) are required to patch a SharePoint server.

If a language dependent patch isn’t available for a given month, update to the latest previously available language dependent patch. For example, when applying the January 2023 Public Update for SharePoint Server 2019, install the language independent update for January 2023 and the language dependent patch from December 2022. If you do not install the language dependent patch, you may encounter missing or incorrect functionality.

Be aware that at least once a year it is mandatory to install also the non-security updates based on the Updated Product Servicing Policy for SharePoint Server 2013, 2016 and 2019

General Recommendations

Best Practices to reduce the risk of regressions

Microsoft performs rigorous validation of each fix, both internally and with a select set of partners and customers before it is released to ensure it has the highest quality. This has helped to significantly reduce the number of regressions reaching our customers in the last couple of years.

Due to the large number of components and various ways to configure them, it is impossible to test all possible configuration combinations. So it’s unlikely, but possible, for a code change to introduce unwanted behavior with a specific configuration for some of our customers. Third party software and other customizations can also introduce additional variables that may be difficult to validate in our internal testing.

We recommend that customers use a test environment to validate new fixes with common use cases and business critical functionality before installing updates in their production environments. Test environments should simulate their production environments as much as possible to ensure meaningful validation.

As an additional safeguard we advise to take a backup (system state and file system backups of the SharePoint server and SQL / farm backup of the databases) before installing any updates as it is not possible to uninstall SharePoint updates after they have been installed.

If the SharePoint farm is installed on virtual machines, taking a consistent snapshot of all servers (SharePoint, SQL, etc.) could be used as an alternative. However, it would require downtime as so call “hot snapshots” are unsupported with SharePoint. The snapshots must be taken when all virtual machines are shut down to guarantee a consistent state between the SharePoint servers and the SharePoint databases.

Best practices around SharePoint Products Configuration Wizard and PSCONFIG.EXE

SharePoint patching consists of two steps: applying the binaries on each server and running the SharePoint Products Configuration Wizard on each machine in the farm to finalize the installation by upgrading the SharePoint databases and other administrative tasks. Be aware that the configuration wizard performs various tasks on the SharePoint server machines itself, including the registration of new/updated services and features and copying SharePoint binary files around to the required location. It is important that this step is performed after applying the patches otherwise SharePoint might not function correctly. If this step has to be delayed (e.g. the maintenance window is not big enough) at least the following PowerShell command has to be run on each server machine to ensure that the correct binary files are being used: Install-SPApplicationContent

Best practices for patching with language packs

SharePoint consists of language independent components (e.g. executables) and language dependent components (e.g. resource files which carry UI elements for the different languages). During patching both components have to be updated to ensure that the binaries can reference the correct resource elements. Language packs include only the language dependent components of SharePoint.

If a new language pack is installed on a SharePoint farm the patch level of the language dependent components for the new language will most likely not be the same as the patch level of the language independent components and the patch level of the other language dependent components already installed on the server. To ensure that the components installed with the language pack are upgraded to the same patch level as the rest of the farm it is required to apply the most current installed monthly patch again. For SharePoint Server 2016, 2019 and Subscription Edition only the most current language dependent update must be applied again.

Best practice for patching Workflow Manager client on the SharePoint server machines

SharePoint updates sometimes include updates for the workflow activities for SharePoint 2013 workflows. It is important to ensure that the most current Workflow Manager updates are installed as well when new SharePoint updates are installed. This ensures that WFM is compatible with workflow activities updates included in the SharePoint update.

Also be aware that Workflow Client and Server components must be in sync. WFM client updates must be installed before WFM server is updated.

The SharePoint Configuration Wizard will update the SharePoint Workflow Activity definitions in WFM. In case this fails (e.g. because the WFM server cannot be reached because it is patched simultaneously with the SharePoint machines) the workflow definitions need to be updated manually after patching is completed using the following PowerShell command: Copy-SPActivitiesToWorkflowService

More details: Update Workflow in SharePoint Server

Best practice for patching with 3rd party components

3rd party components and other customizations cannot be considered when Microsoft tests new updates. It is important that the compatibility of 3rd party components with the latest updates is evaluated before new patches are installed in a production environment. A SharePoint administrator should contact the 3rd party vendor to get information about compatibility. In addition, the steps listed above in the Best Practices to reduce the risk of regressions section earlier in this chapter should be followed.

Best Practices for legacy versions of SharePoint

SharePoint 2007 and 2010

These versions of SharePoint are out of support and no updates (including security updates) are released for these versions anymore. Continuing to use SharePoint 2007 or 2010 in production workloads puts your data at risk.

Our advice is to remove such systems from your network and upgrade to a fully supported version of SharePoint.

SharePoint 2013

Be aware that SharePoint Server 2013 and also 2016 are in extended support and mainly security updates are released for these SharePoint versions. To get all the latest product improvements including non-security updates, upgrade to SharePoint Server 2019 or even better SharePoint Server Subscription Edition.

Also ensure to have a supported patch level based on the updated servicing policy for SharePoint 2013 and the Updated Product Servicing Policy for SharePoint Server 2016.

SharePoint 2013 and older have a significantly different packaging model than SharePoint Server 2016, 2019 and Subscription Edition. SharePoint 2013 and older have 30+ different patchable components which all can potentially be on a different patch level in a single farm. Keeping track of the patch level of all components and ensuring that the latest updates are installed can be challenging if the full server packages (also known as Uber packages) are not applied. This is especially important for security updates where it would be dangerous if a security update for a component is missing. In contrast SharePoint Server 2016 and 2019 have only two patchable components. To ensure that all patchable components are always on the latest patch level we recommend applying full server packages (also known as Uber packages) rather than individual fixes:

Unlike SharePoint Server 2016, 2019 and Subscription Edition, patching of a SharePoint 2013 farm cannot be done without downtime. This requires accurate planning of the required maintenance window to ensure that the patch downtime has minimum impact on users. Using the correct farm topology and the right strategy it is possible to reduce the downtime during patching of a 2013 farm to a minimum – but as mentioned before it is not possible to eliminate it completely.

If no further precautions are taken installing the monthly fixes on a SharePoint server can take several hours as certain Windows services are started and stopped repeatedly. The installation time for updates can be reduced to a fraction of the normal installation time (e.g.) using the PowerShell script created by Russ Maxwell which ensures that the services are only restarted once.

Important: SharePoint 2013 will reach end of support on April 11, 2023. No further support (including both security updates and non-security updates) will be provided after this date.

Our advice is to plan the migration of your SharePoint 2013 environment to one of the fully supported versions of SharePoint (SharePoint Server 2019 or Subscription Edition) or – if possible – to SharePoint in Microsoft 365 before SharePoint 2013 reaches end of support.

SharePoint Server 2019 and Subscription Edition include several features which improve the patching experience significantly.

Best Practices for SharePoint Server 2016, 2019 and Subscription Edition

SharePoint Server 2016, 2019 and Subscription Edition have several improvements which enhance the patching experience significantly:

These use a simplified packaging model (only 2 different packages compared to 30+ in earlier versions) which reduces the size of the installation packages for our patches and also the installation time significantly.

Using the correct farm topology, it is possible to apply SharePoint updates for these versions without any downtime which removes the need for a maintenance window.

A side effect of zero-downtime patching is the fact that different servers in the farm are on different patch levels during the patching process. Due to these different patch levels, SharePoint servers would potentially serve different versions of the same JavaScript files to the end user. To prevent this SharePoint Server 2016, 2019 and Subscription Edition include side-by-side functionality which – if enabled – guarantees that all servers in the farm send the same JavaScript files to the end users during patching.

Closing Note

SharePoint patching can be a challenging task. As security updates are important and applying them quickly is critical, patching of SharePoint farms is a frequent task for SharePoint administrators.

Newer versions of SharePoint have been improved to reduce the complexity of patching and to guarantee availability during the patch timeframe. SharePoint administrators should still carefully plan their patching strategy to minimize the potential risks of patch deployment.

Migrating to SharePoint in Microsoft 365 can remove this burden from customers. Microsoft ensures that Microsoft 365 contains our most advanced security capabilities and fixes to protect customer data.

References

87 Comments


  1. If you only install the security updates on all SharePoint servers, do you have to run the Configuration Wizard on all servers afterwards?

    Reply

    1. Hi Raphael,
      ALL SharePoint fixes require the configuration wizard. No exceptions.
      Cheers,
      Stefan

      Reply

      1. Hi Stefan, thank you very much for your helpful blog. Do you know why run of config wizard after patch installation is not mentioned in the install instructions of the patches?
        Kind regards, Reto

        Reply

        1. Hi Reto,
          sorry to be honest I don’t know.
          Cheers,
          Stefan

          Reply

      2. Hi Stefan,
        Would this be the reason why SharePoint Security updates don’t get installed automatically like Windows updates?
        Regards,
        Gurpreet

        Reply

        1. Hi Gurpreet,
          for SharePoint farm installations security fixes do not install automatically as this needs to be planned to ensure that all servers are on the same patch level.
          For single server installations security fixes are installed automatically if you enable security fixes for other Microsoft products in addition to Windows.
          Cheers,
          Stefan

          Reply

          1. Thank you for the prompt response, Stefan.
            Your article is very helpful.


  2. Thanks Stefan, can you also confirm whether the security updates themselves can be uninstalled or is this the same for non-security where the farm needs to be rolled back or rebuilt?

    Reply

    1. There is no difference. You cannot uninstall fixes marked as security updates.

      Reply

  3. Stefan,
    Am trying to update a SharePoint farm from 2010 SP1 to 2010 SP2 to resolve an issue that is preventing me from migrating sites to online.
    Is there any order that I need to follow to install service pack 2 in my environment? also, how easy would it be to restore SharePoint to a working state using VMs checkpoint and SQL full back up for a Sys Admin with a limited SharePoint knowledge?

    Reply

    1. Hi James,
      you should install first SP2 for SharePoint Server 2010 and then SP2 for each installed language pack.
      Afterwards you need to run the SharePoint configuration wizard.

      To be able to revert to the previous state using snapshots you should shutdown all SharePoint servers in the farm and also the SQL server.
      Afterwards you would take cold snapshots (means snapshots while the machines are shutdown) of all SharePoint machines and the SQL server machine.
      Ensure to include the SQL server databases in the snapshot – alternatively you can take SQL backups of all SharePoint databases.
      After the snapshots are completed you need to restart the machine starting with the SQL server.
      Then install the SharePoint updates as listed above.
      If you need to revert to the previous state you should again shutdown all machines including SQL server and reapply the previously created snapshots on all machines.
      Then boot up again with starting with the SQL server if required you can then restore the peviously taken SQL backups after SQL server is back in its previous state you would start the SharePoint machines and you should be good.

      Cheers,
      Stefan

      Reply

      1. Stefan,
        Thanks for your response, regarding the language packs, how do I get their SP2? do I have to manually download them from Microsoft, or can I get them via windows upate or CU updates?

        Also, my DB is on SAN, can I just perform a full DB backup prior to the update rather than performing a cold snapshot on the server it self?

        and I have 3 servers in the farm, do I install SP2 on the one running central admin and then the other two servers, or there is no certain order for installing it?

        Reply

        1. Hi James,
          each language pack SP2 has to be downloaded and installed separately from download center.

          About SQL backup: yes, in this case take an SQL backup.

          It is recommended to start with the central admin server and afterwards install it on the other machines.

          Cheers,
          Stefan

          Reply

  4. Hi Stefan!

    This is a great post, thank you!

    I watched Neil Hodgkinsons & Bob Fox’s great video about ZDP, and I have a few ZDP questions (for SP2016).

    1) In the video, no special care was taken to pause the Search Service Application or stop Search services. But I assume I should still do that? (Like described in https://docs.microsoft.com/en-us/SharePoint/upgrade-and-update/install-a-software-update#HostSearch)

    2) Will Russ Maxwells patch binary installation script still help make binary installation faster in SP2016? Or is there no point in using his script for SP2016?

    3) In the video, Bob ran PSConfig first on his WFE1 server, as it had Central Admin (and it was of course removed in the load balancer). I host CA on all my servers, and usually run PSConfig/Wizard GUI on the first APP-server. Should I do as Bob does, or should I continue running PSConfig first on my APP server? But that will mess the server order suggested in the video…

    4) Just double checking: I can run ZDP without using side-by-side functionality, right?

    Thank you so much for any help!

    Reply

  5. Hi Steven,

    you are not correct that you are safe if the OS was properly patched.
    Any unpatched product running on top of a patched OS can lead to vulnerabilities.
    If you haven’t patched SP2013 since 2017 you are missing out 50+ security fixes and my recommendation would be to install all missing security fixes asap.

    Cheers,
    Stefan

    Reply

  6. Hello Stefan Sir,

    I am Ganesh working as a SharePoint Administrator.
    I want to generate audit report for 90 days in SharePoint 2013.
    So is there any Powershell Script to generate the same?

    Reply

  7. Last update on our SP2016 Server was Dec 2019, which is multi-language update. So now can I do the May 2020 patch which doesn’t have multi-language patch? Or do I have to update to April 2020 and then to May 2020? I will very appreciate your answer. Thank you!

    Reply

    1. Hi Kalai,
      you need to install the language independent fix from May CU and the language dependent fix from April CU.

      Cheers,
      Stefan

      Reply

  8. Hi Stefan, Is it necessary to install language pack related security updates if we are not using any language packs in SP2019 farm?
    i.e. If we dont have any language packs installed in the farm do we still need to install the language packs related security updates?

    Reply

    1. Yes it is necessary. SharePoint always has at least on language installed – the base language of your SharePoint installation. You can install additional languages through language packs. Language dependent security fixes apply to all installed languages including the base language.

      Cheers,
      Stefan

      Reply

  9. hi stefan, good day,

    i got questions regarding Microsoft SharePoint patches..

    My Microsoft SharePoint 2016 was not patched since past 6 months.. i am planning to patch it mid of next month.. do i need to install the entire 6 months patches or just install the current month patches should be sufficient? Please advise.

    Reply

    1. Hi Devs,
      you only have to install the most recent CU (as well the language dependent and the language independent component) to fully patch your server.
      Cheers,
      Stefan

      Reply

      1. Thank You for Prompt Response Stefan.. God Bless. 🙂

        Reply

  10. Hi Stefan,
    Thank you for the hard work you are doing for us.
    I have a SharePoint 2013 farm composed of 2 WFE servers, 2 App servers, and 2 SQL servers, the farm hasn’t been patched since September 2019. My questions are:
    1- which patch/es should I use, and how many are there since September 2019, should I apply all of them one by one?
    2- What order should I folow to do the patching? (Should I first dismount App server 1 from load balancer then run the binaries then mount it back; dismount App server 2 from load balancer run the binaries then mount it back and do the same for the 2 WFEs one by one then mount them back. And then dimount App server 1 from the load balancer and run PSConfig.exe then mount it back – dismount App server 2 from the load balancer, run PSConfigui.exe mount it back – and do same for the 2 WFE servers one by one.)
    I’m kinda lost on this part when patching is concern (dismounting and mounting).
    I’m planning to do the patching this weekend and your inputs are apreciated.
    3- Is it posible to dismount say: App server 1 run the binaries and run PSConfigui.exe then mount it back to load balancer? And do the same with the remaining servers in load balancer?

    Best Regards/

    Reply

    1. Hi Franck,
      1) SharePoint CUs are cumulative. Just install the Uber packages of the latest CU and you are good.
      2) you should start with the machine hosting the central admin – the rest does not really matter
      3) no. machines with an older patch level cannot work with an upgraded database. you have to install the binaries first on all machines. afterwards you should run psconfig on one machine (during this time users are not allowed to access the site collections on the database being upgraded – it would be unsupported. so you have a downtime here during database upgrade). After psconfig was run on one machine (which upgraded this machine and the databases) you can run psconfig on all other machines in parallel.
      More details can be found in this blog post:
      https://blog.stefan-gossner.com/2016/04/29/sharepoint-2016-zero-downtime-patching-demystified/
      Its mostly about zero downtime patching for 2016 and 2019 but also discusses best practices to reduce the downtime for SP2013.
      Cheers,
      Stefan

      Reply

  11. Thank you so so much Stefan, this helps a lot.
    but all my machine have central administration, I didn’t built this farm I took over when our admin left.
    in this case, should I start on WFE1 or App1 server or it doesn’t matter which one?

    Thank you again.

    Reply

    1. In this case I would start with one of the app servers.

      Reply

      1. Thank you Stefan! You are the best.

        Reply

  12. Hi Stefan,

    Quick question, to diconnect a server like WFE or APP server from load balancer, is this the PowerShell command for disconnection: >”Disconnect-SPConfigurationDatabase”?
    After you finish patching, what’s the PowerShell command to connect the same server back again to the load balancer?

    Reply

    1. Hi Franck,
      you need to reconfigure the load balancer to ensure that it does not route traffic to the relevant server.
      This cannot be done with a powershell cmdlet of sharepoint – it depends on your load balancer if this can be scripted and how.
      Cheers,
      Stefan

      Reply

  13. Got it Stefan, Thank you!

    Reply

  14. Stefan,

    I have SP2019 and have a question about CU’s. We do not have multi-language. When i apply a monthly CU, should we also apply the multi-language CU for that month?

    Thank you for the wide variety of great info on this and other topics.

    Reply

    1. Hi Steve,
      independent from the number of language packs: you always have to install only two packages: the language independent one and the language dependent one.
      The language dependent will apply the fixes for all installed language packs.
      Cheers,
      Stefan

      Reply

  15. Hi Stefan,
    Again thank you, today I did the patching and ran to an issue I googled it and the first respond that came out how to fix the issue was your blog. It was very very helpful and I fix it in the matter of second. I installed the patches but when I started the configuration wizard, almost all were missing on the servers and from your blog, you mentioned to run “Get-SPProduct -Local” which I did and the error was fixed, again thank you.
    But I do still have some errors, the configration failed right 8 of 10 (configuring or installing web application files),
    I ran config.exe that didn’t work. The central administration can’t open, I can browse the sites collections on the server. The database upgrade status said: failed (because the configuration wizard has errored out).
    Any ideas??

    Thank you

    Reply

  16. Hi Stefan,

    I really need help on this, I tried almost everythink I could but but I’m still having this issue. It’s last part of SP products comfiguration wizard in SharePoint 2013. This error happened when the configuration is at 9 of of 10, here’s the error message:

    Configuration Failed
    one or more configuration tasks failed. Tasks that were successfully complete won’t be rolled back. Detailed failure information is listed here:

    Failed to upgrade SharePoint Products.

    This is a critical task. You have to fix failures before you can continue. Follow this link for more information about how to troubleshoot upgrade failure: http://go.microsoft.com/fwlink/?LinkId=259653

    An exception of type
    Microsoft.SharePoint.PostSetupConfiguration.PostSetupConfigurationTaskException was thrown. Additional exception information:

    <>

    Thank you and really need your help on this

    Reply

    1. Hi Franck,
      this requires a deeper analysis.
      I would recommend to open a support case with Microsoft to investigate this.
      Cheers,
      Stefan

      Reply

  17. Hi Stefan,

    I was able to fix the issue, thank you

    Reply

    1. Hi Franck, how did you resolve your issue?

      Reply

  18. Currently running 2013 Foundation at an RTM patch level (yes…I know). The database is also at 2012 SP1. What’s my best course forward for patching these? Do I need to patch SQL Server first? Should I install SharePoint SP1 first and then the highest CU? Long term endgame is to migrate to O365.

    Reply

    1. Hi John,

      we don’t have any best practices for such an outdated patch level.
      Personally I would first update SQL server to the latest patch level and then install SP1 + latest CU for SharePoint foundation.
      Ensure to take database and SPFarm backup before going through this to ensure to have a backup in case you need to roll back.

      Cheers,
      Stefan

      Reply

  19. Hi Stefan,

    Do SharePoint Cumulative updates also include the security fixes or do we have to install the security updates also along with the CUs.

    Thanks in advance..
    Logarajan

    Reply

    1. Hi Logarajan,
      it would be a weird design if the CUs would not include the most critical fixes. 😉
      Of course the CU includes the security fixes as well.
      Cheers,
      Stefan

      Reply

  20. Hi Stefan,
    If we setup automatic installation of security updates on a sharepoint farm, as now security update includes SharePoint updates, do we risk to have service interruption ?
    Best regards,
    Benjamin

    Reply

    1. Hi Benjamin,
      automatic installation of SharePoint security fixes is not encouraged.
      Reason is that SharePoint security fixes cannot be uninstalled and should be evaluated against all business critical features in a test environment before applying on production.
      Depending on the SharePoint version you could also leverage zero-downtime patching for SharePoint which will not work with automatic installation.
      With automatic patching you will for sure have downtime.
      Last point is that it is mandatory to run the sharepoint configuration wizard on all machines after the fixes have been installed on all machines – this is also a manual step and required planning.

      With other words: I would not do it.

      Cheers,
      Stefan

      Reply

      1. Thanks a lot for your complete and very quick answer !

        Reply

  21. SharePoint 2016 October Security update(KB 4486677) giving error for large file upload(>100 MB). Any fix for this?

    Reply

  22. Hi Stephan
    I installed Sept 2020 CU on our SP 2016 Farm. This Farm is 2 APP, 2 Index, 4 search, and 4 WFE server.
    It shows all update green. but one WFE server seems to have gone wrong. Here, when I enter something on the search page, I get the message
    Sorry, somethimg went wrong.
    SHOW DETAILS
    Access is denied.
    Correlation ID: ……
    Any idea?

    Reply

    1. Hi Schahram,
      I haven’t seen this. If you need assistance to get this analyzed I would recommend to open a support ticket with Microsoft.
      Cheers,
      Stefan

      Reply

      1. Thank you Stefan.

        Reply

  23. Hi Stefan,

    We are following these practices (along with stopping the services for patch installation) which have reduced SharePoint patches considerably!
    Thanks for your detailed blogs.

    My question to you is, when we run the SharePoint 2013 Products Configuration Wizard, after patches, should we stop the same services as well? We ran it last night and it took about 2hrs to finish, and we are seeing if it is normal or not.

    Regards,

    Reply

    1. Hi James,
      no that should not be done. Some of the upgrade steps are e.g. running in OWSTimer and if you stop it these steps cannot be completed.
      Cheers,
      Stefan

      Reply

  24. For SharePoint Farm with disaster recovery, which farm should we first patch.

    Reply

  25. Hello Stefan,
    i was trying to run the “Install-SPPatch -Path C:\Source\patch” it throw an error AS” Install-SPPatch : The term ‘Install-SPPatch’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At line:1 char:1
    + Install-SPPatch -Path C:\Source\patch -Pause -SilentInstall
    + ~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Install-SPPatch:String) [], Com
    mandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    is that any command to install patch through PowerShell?

    Thank you for your guidance.

    Reply

    1. Hi Jaz,
      I have never heard about Install-SPPatch – it is not something coming with SharePoint.
      Searching with bing pointed me to this powershell resource
      https://www.powershellgallery.com/packages/SharePointPatchScript/1.0

      I have never used it and cannot comment on whether it works reliable or not and what exactly it does.
      I always install patches using the official steps:
      https://docs.microsoft.com/en-us/sharepoint/upgrade-and-update/install-a-software-update

      Cheers,
      Stefan

      Reply

  26. We have a problem with psconfigUI taking 2 hours on SP2019 front ends (on cache, app, and search servers it runs fast). Have you heard of this behavior? This is on a recently built farm with no content. Initially it, took 2 hours, so we totally rebuilt the farm, then psconfig took only a half hour or so per server, now after Feb security update, it is again at 2 hours for FEs.

    Reply

    1. Hi Vincent,
      the time psconfig runs depends on a large number of factors. If this is a concern for you and you would like to get this investigated I would recommend to open a ticket with Microsoft support to get this analyzed.
      Cheers,
      Stefan

      Reply

  27. Hi Stefan,
    My last update on SharePoint Server 2016 is for Aug 2019. I now need to patch my environment with all security updates. Do I need to install all security updates released since Aug 2019, or just installing Jan 2021 Security update is sufficient.
    Regards,
    Ankita

    Reply

    1. Hi Ankita,
      if you install both security fixes from January 2021 it will be sufficient.
      All previously released security fixes are included in these two fixes.
      Cheers,
      Stefan

      Reply

      1. Was about to ask the same, I inherited an SP2019 Farm which hasn’t been patched in a long time.
        Do you think it matters on how many CUs have passed? The latest one should cover it all right?
        Thanks!

        Reply

        1. Hi Christian,
          correct. The latest one is sufficient.
          Ensure to install both fixes.
          Cheers,
          Stefan

          Reply

  28. Hi Stefan,
    Thanks for all your help and replies here, always helpful. I have one more question regarding the adding new server to the farm and patches on it.

    Our current SharePoint 2013 farm has Jan 2020 CU and since then we re applying security patches every month till April security patch. configuration database version is showing as 15.0.5327.1001. which as per the Microsoft Doc is for March 2021 CU.
    Now we need to add a new WFE in to the farm. Question is what patches need to be installed on new WFE before i add it to the farm ? Do i need to install Jan 2020 CU and all security patches released since then on the new WFE ? or just Jan 2020 CU and latest security patch ( May 2021) will be enough ?

    Reply

    1. Hi Umr,
      in this case you need to install indeed Jan 2020 CU and the latest version for each patched component that got a security fix.
      As this is hard to determine the safest way is either of these two:
      – install May 2021 CU on all machines
      – install Jan 2021 CU on the new machine and all security fixes released afterwards
      Cheers,
      Stefan

      Reply

  29. Hi Stefan,
    Thanks for the information.
    One of my Production sharepoint WFE server (14.07015.1000) got Auto installed MS Office 2010 KB2553347 recently and PSConfig NOT executed yet on this server.

    Is it safe/fine to uninstall this KB from this sharepoint server? as we don’t want to install this update KB2553347 on other sharepoint servers.

    Once this cleared/fixed then we will install latest April 2010 CU update.
    Thanks in Advance!

    Reply

    1. Hi Shiva,

      2553347 is a fix for Office Client which indicates that you have Office installed on the SharePoint WFE which is unsupported.
      In addition SharePoint 2010 is also out of support since around one year.

      Cheers,
      Stefan

      Reply

  30. Hi Stefan,

    How can I ensure that all services, app pools, sites, service applications i.e. all of SharePoint is back on after patching?

    In a recent support call with microsoft on patching I was given a script that was supposed to start services but it did not…

    This caused a high number of VERY complex issues to fix – surely there is a way to turn everything back on after patching?

    Any idea what it is please?

    Reply

    1. Hi Steve,
      during Patching/PSConfig SharePoint stops the relevant services app pools, sites and service applications on the machine.
      After Patching/PSConfig they should be started again.
      If thats not the case, something unexpected has happend.
      If this occurs always I would recommend to open a support ticket with Microsoft to get this investigated.
      Cheers,
      Stefan

      Reply

  31. If we have SharePoint foundation KB installed for the Month of Nov’20 do we still need to install the KB for SharePoint enterprise for the month prior to Nov’20?
    Does Foundation KB covers the fixes for enterprise version as well?

    Reply

    1. Hi SharePoint Admin,
      SharePoint foundation is one component in SharePoint server. A SharePoint server CU includes many more components than SharePoint foundation.
      If SharePoint foundation fixes are installed you still have to install SharePoint server fixes to have a fully patched SharePoint server.
      Cheers,
      Stefan

      Reply

      1. Stefan —

        Your answer just confused me a bit. I have three Foundation 2013 farms with four servers each, all 12 are both WFE and App, and one three server Enterprise 2013 farm serving Search services to the other farms. Are you saying that when I update the CU for the Foundation farms (currently March 2021) I need to install both the Foundation and Enterprise CUs? I’ve always used the Foundation CU for the Foundation farms and the Enterprise CU for the Search farm.

        Reply

        1. Hi Mike,
          if you installed the Uber packages for SharePoint Server you don’t have to install the SharePoint Foundation fixes – they are included in the Uber package of SharePoint Server.
          On the other hand – what applies to the thread starter – if you applied a SharePoint foundation fix on a SharePoint server machine you still have to apply the SharePoint server fix to ensure that all SharePoint server components are patched.
          Cheers,
          Stefan

          Reply

          1. That makes sense.

            I think it was the way I was reading both the original question and your answer in the context of my interpretation. Since he applied the Foundation CU, I assumed (yeah, I know) he had a Foundation farm. Re-reading it, it appears he probably has an Enterprise farm he applied the Foundation CU to.


  32. Excellent summary of the Sharepoint patching process. Thanks Stefan!

    Reply

  33. Hi Stefan,
    I understood that I always have to install both patches per month, the language-independent and the language pack, just to be sure for a month with no language patch such as 02/2022: If I already installed both patches for January (KB5002113+KB5002118) and I install KB5002136 for February, do I have to (re-)install the language patch from January (KB5002118) again, because there is no language pack for February or is it sufficient that I already installed KB5002118 in January and do I only need to install KB5002136?

    Reply

    1. Hi Matthias,
      no – it is impossible to install the same fix twice.
      Thats also not necessary as both fixes address different components of your installation.
      If KB5002118 is already installed you only have to install KB5002136.
      Cheers,
      Stefan

      Reply

  34. Hi Stefan,

    What is the best practice for installing patches in SharePoint 2016 – monthly, quarterly, bi-yearly. I was told by our consultant to do it bi-yearly. What is your recommendation and why?

    Reply

  35. Hi Stefan,
    Thank you for this helpful information. My SP2019 on-prem farm was setup using a SP Farm svc account. My IT security team disabled access for the farm account to remote into the SP servers, and does not want to give access to the farm account to remote into the server to run patches.
    Could I copy permissions from the farm account to another account and use the new account to run patches or does it have to be the same account used to install SharePoint (farm account)? Trying to make a case here to get my access back, any help is truly appreciated!

    Reply

  36. Hi,

    We have an SP version 16.0.5266.1000 January 2022. We want to update it to July 2023. Can I install directly the July package or do I have to go trough all releases until July?

    Thank you

    Reply

    1. Hi Demirel,
      SharePoint fixes are cumulative which means they include all earlier fixes.
      That means installing only the July 2023 CU is sufficient.
      Cheers,
      Stefan

      Reply

  37. Hi Stefan,

    Thanks a lot for your blog; I’ve been a fan since the SP2007 content deployment era.

    As many SharePoint admins I have to install the very hot security updates for SP2019 (KB5002754 & KB5002753).
    The thing is one of our SP2019 farms was quite dormant in the past few years and the lastest CU was installed in September 2022!

    So my question is: Can I just install the latest Security Updates (KB5002754 & KB5002753) without any prior so-called CU to be in a supported state?

    I am asking because it seems that all updates (security and CUs) are cumulative and the size of the KB5002754 & KB5002753 security updates makes me think that it contains the July 2025 CU as well.
    Could you please confirm that?

    Follow up question would then be: for SP2019 / SPSE in 2025 is there still a difference between the monthly CUs and the security updates? (since they all seem to be cumulative updates…)

    Thanks in advance
    Matt.

    Reply

    1. Hi Matt,
      yes you can directly install the latest security fixes (5002754 + 5002753).
      All previous fixes are included in this including of course July 2025 CU.
      The only difference is that in some months we might ONLY release non-security updates.
      But if a security update is released then always as a whole CU.
      Cheers,
      Stefan

      Reply

      1. As always thanks a lot Stefan!

        What made me doubt was the sentence below but I guess water ran under the bridge since you first published that article:
        “Be aware that at least once a year it is mandatory to install also the non-security updates based on the Updated Product Servicing Policy for SharePoint Server 2013, 2016 and 2019”

        Thanks,
        Matt.

        Reply

        1. Hi Matt,
          ah! Got it.
          This is a supportability statement – not a technical limitation on installing a fix.
          If a support ticket is opened and the patch level is older, Microsoft Support can request first to apply a recent fix before the actual problem is being investigated.
          Cheers,
          Stefan

          Reply

          1. Thanks so much for the confirmation and for the time you spend on that blog!

            Matt.


  38. How are these log files deleted (PSCDiagnostics.log, Upgrade.log, and CopySidebySideFiles*.log) on SharePoint Server 2016? We have several sets of files going back multiple years. Is this controlled through the Central Admin settings? The Get-SPDiagnosticConfig is set to DaysToKeepLogs=14, LogMaxDiskSpaceUsage Enabled=True, LogDiskSpaceUsageGB=20.

    Reply

    1. I think they are never deleted. They are created only when patching SharePoint. The diagnostic logs are created every 30 minutes.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.