September 2024 CU for SharePoint Server 2016 is available for download

The product group released the September 2024 Cumulative Update for SharePoint Server 2016 product family.

This CU also includes Feature Pack 1 which was released with December 2016 CU and Feature Pack 2 which was released with September 2017 CU.

The KB articles for September 2024 CU should be available at the following locations in a couple of hours:

  • KB 5002624 – September 2024 Update for SharePoint Server 2016 (language independent)
    This is also a security update!
  • There was no language dependent fix released this month.
    The most recent language dependent fix is KB 5002524 from December 2023 CU.
    If this is not yet installed on your Farm, you need to install it together with the language independent fix.

The downloads for September 2024 CU are available through the following links:

Important: It is required to install both fixes (language dependent and independent) to fully patch a SharePoint server. This applies also to servers which do not have language packs installed. The reason is that each SharePoint installation includes a language dependent component together with a language independent component. If additional language packs are added later (only) the language dependent fix has to be applied again.

It is irrelevant which language you pick on the drop down in download center. Even the language dependent fixes are all in the same package for all languages.

After installing the fixes you need to run the SharePoint 2016 Products Configuration Wizard on each machine in the farm. If you prefer to run the command line version psconfig.exe ensure to have a look here for the correct options.

 
SharePoint 2016 September 2024 CU Build Numbers:

Language independent fix: 16.0.5465.1001

 
To understand the different version numbers please have a look at my article which explains the different SharePoint build numbers.

Please ensure to have a look at the SharePoint Patching Best Practices before applying new fixes.

Related Links:

7 Comments


  1. We ran into the same (or virtually the same) issue discussed in https://support.microsoft.com/en-us/topic/some-scenarios-of-sharepoint-2010-workflow-are-affected-after-applying-the-july-security-update-for-sharepoint-server-kb5004862-be361cd6-9f54-48c4-b890-2c4b7cf49d13 after applying the Dec 2003 update [Update for Microsoft SharePoint Enterprise Server 2016 (KB5002524) 64-Bit Edition] and the Sept 2024 CU [Security Update for Microsoft SharePoint Enterprise Server 2016 (KB5002624) 64-Bit Edition] in our SP2016 QA farm. Workflows wouldn’t start and could not be published. I set “legacy workflow” logging category to verbose and found “c42q8” EventID tags in the SharePoint ULS logs. Fortunately, the temporary workaround mentioned in the same article with PowerShell worked again for us.

    09/12/2024 16:04:45.74 w3wp.exe (0x1478) 0x050C SharePoint Foundation Legacy Workflow Infrastructure c42q8 High CompileBytes: Web https:********, Site https://**********, Tenant , Error parsing xoml: <ns0:RootWorkflowActivityWithData x:Class=”Microsoft.SharePoint.Workflow.ROOT”

    Reply

    1. Hi Hondo,
      please check the “Known issues” section of September 2024 CU. I assume you are running into the issue listed there.
      Please apply the respective workaround.
      Cheers,
      Stefan

      Reply

  2. Hi Stefan,

    The “Known issues” section of Sept. 2024 CU states that “You can look for event tag “c42q0″ in ULS logs to find the blocked type”. I have confirmed that I’m affected by the patch, but I can’t seem to find the blocked type in my ULS. Could you clarity? Here’s my log entry:

    Potentially malicious xoml node:

    Thanks,

    Reply

  3. Hi Stefan,

    I just realized that there’s a separate thread for the known Workflow issue, please ignore my question above. (https://blog.stefan-gossner.com/2024/09/13/trending-issue-problems-with-workflows-after-applying-september-2024-cu-for-sharepoint-2016-2019-se)

    I’d like to make a comment about another issue I found though, which was already mentioned by someone on your “SharePoint September 2024 CU for SharePoint SE” page. I’m running SharePoint 2016 farms and our custom web part got broken after applying the September CU. ULS showed “Missed type in new allowlist” (Event ID 6d3sf) and “Microsoft.SharePoint.ApplicationRuntime.SafeControls+UnsafeControlException” (Event ID ajlz0) even though the assembly was already listed in the web.config’s SafeControls list. I had to add ‘ControlCompatMode=”True”‘ to the SafeMode node as a workaround.

    Thanks,

    Reply

    1. Hi Sam,
      is there a callstack listed with this error?
      It might be that this web part uses a binary serializer which is unsafe and got blocked.
      If you are unsure or if this needs further investigation, please open a ticket with Microsoft support to ensure that this can be investigated in more detail.
      Cheers,
      Stefan

      Reply

      1. Sure, here’s the stack. It does seem like it’s using the binary serializer:

        09/30/2024 11:09:40.02 w3wp.exe (0x3BA0) 0x26C0 SharePoint Foundation Web Parts 6d3sf Medium Missed type in new allowlist. Type = System.Collections.Generic.List1[assemblyNamespaceConfiguration] e24555a1-f73f-00bf-0c71-4e6284b33357
        09/30/2024 11:09:40.02 w3wp.exe (0x3BA0) 0x26C0 SharePoint Foundation Web Parts apmew High Allowing ControlCompatMode=false object in ObjectFormatter. Type = System.Collections.Generic.List
        1[[assemblyNamespaceConfiguration, assemblyName, Version=1.0.0.0, Culture=neutral, PublicKeyToken=8c35619dfd12c137]], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 e24555a1-f73f-00bf-0c71-4e6284b33357
        09/30/2024 11:09:40.02 w3wp.exe (0x3BA0) 0x26C0 SharePoint Foundation General ajlz0 High Getting Error Message for Exception System.ArgumentException: The serialized data is invalid. —> Microsoft.SharePoint.ApplicationRuntime.SafeControls+UnsafeControlException: The control type ‘System.Collections.Generic.List1[[assemblyNamespaceConfiguration, assemblyName, Version=1.0.0.0, Culture=neutral, PublicKeyToken=8c35619dfd12c137]]' is not allowed on this page. at Microsoft.SharePoint.WebPartPages.SPSerializationBinder.IsAllowedType(Type type) at Microsoft.SharePoint.WebPartPages.SPSerializationBinderBase.CheckIfAllowedType(Type type) at Microsoft.SharePoint.WebPartPages.SPSerializationBinderBase.BindToType(String assemblyName, String typeName) at System.Runtime.Serialization.Formatters.Binary.ObjectReader.Bind(String assemblyString, String typeString) at System.Runtime.Serialization.Formatters.Binary.ObjectReader.GetType(BinaryAssemblyInfo assemblyInfo, String name) at System.Runtime.Serialization.Formatters.Binary.ObjectMap..ctor(String objectName, String[] memberNames, BinaryTypeEnum[] binaryTypeEnumA, Object[] typeInformationA, Int32[] memberAssemIds, ObjectReader objectReader, Int32 objectId, BinaryAssemblyInfo assemblyInfo, SizedArray assemIdToAssemblyTable) at System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryObjectWithMapTyped record) at System.Runtime.Serialization.Formatters.Binary.__BinaryParser.Run() at System.Runtime.Serialization.Formatters.Binary.ObjectReader.Deserialize(HeaderHandler handler, __BinaryParser serParser, Boolean fCheck, Boolean isCrossAppDomain, IMethodCallMessage methodCallMessage) at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream serializationStream, HeaderHandler handler, Boolean fCheck, Boolean isCrossAppDomain, IMethodCallMessage methodCallMessage) at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream serializationStream) at Microsoft.SharePoint.WebPartPages.SPObjectStateFormatter.DeserializeValue(SerializerBinaryReader reader) at Microsoft.SharePoint.WebPartPages.SPObjectStateFormatter.DeserializeValue(SerializerBinaryReader reader) at Microsoft.SharePoint.WebPartPages.SPObjectStateFormatter.Deserialize(Stream inputStream) --- End of inner exception stack trace --- at Microsoft.SharePoint.WebPartPages.SPObjectStateFormatter.Deserialize(Stream inputStream) at Microsoft.SharePoint.WebPartPages.Utility.DeserializeByteArrayToObject(SPSerializationBinderBase binder, Byte[] bytes) at Microsoft.SharePoint.WebPartPages.BinaryWebPartDeserializer.LoadInitialWebPart() at Microsoft.SharePoint.WebPartPages.BinaryWebPartDeserializer.Deserialize() at Microsoft.SharePoint.WebPartPages.SPWebPartManager.CreateWebPartsFromRowSetData(Boolean onlyInitializeClosedWebParts) e24555a1-f73f-00bf-0c71-4e6284b33357
        09/30/2024 11:09:40.02 w3wp.exe (0x3BA0) 0x26C0 SharePoint Foundation General g3ql Verbose GetUriScheme(/mp/siteCollUrl/SitePages/home.aspx) e24555a1-f73f-00bf-0c71-4e6284b33357
        09/30/2024 11:09:40.02 w3wp.exe (0x3BA0) 0x26C0 SharePoint Foundation Web Parts 7935 Information https://domainName/mp/siteCollUrl/SitePages/home.aspx - An unexpected error has been encountered in this Web Part. Type: webPartname, Error: The control type 'System.Collections.Generic.List
        1[[assemblyNamespaceConfiguration, assemblyName, Version=1.0.0.0, Culture=neutral, PublicKeyToken=8c35619dfd12c137]]’ is not allowed on this page. e24555a1-f73f-00bf-0c71-4e6284b33357

        Thanks,

        Reply

        1. Hi Sam,
          please contact the web part developer to ensure that use of binary serializer is removed from the web part. If required the developer can open a ticket with Microsoft Support. Be aware that Microsoft Support has to work directly with the developer of custom component to investigate issue related to custom components.
          Cheers,
          Stefan

          Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.