KB5002778: Enables the automatic machine key rotation feature.

Description of the security update for SharePoint Server 2016: September 09, 2025 (KB5002778)

Summary
This security update resolves a Microsoft SharePoint remote code execution vulnerability, Microsoft Word information disclosure vulnerability, and Microsoft Office remote code execution vulnerability. To learn more about the vulnerabilities, see the following security advisories:

• Microsoft Common Vulnerabilities and Exposures CVE-2025-54906
• Microsoft Common Vulnerabilities and Exposures CVE-2025-54905
• Microsoft Common Vulnerabilities and Exposures CVE-2025-54897

Improvements and fixes
This security update contains improvements and fixes for the following nonsecurity issue in SharePoint Server 2016.

• You can now use the Test-DefenderAndAmsiWorkProperly cmdlet in SharePoint Management Shell to verify that all Windows Defender components are installed and active, and that SharePoint AMSI (Antimalware Scan Interface) integration is functioning correctly.
• In order to use workflows in SharePoint Server, you must now have the latest update for SharePoint Workflow Manager installed.
• To strengthen security in SharePoint Server, users in the WSS_WPG group are now restricted from running administrative processes, such as the SharePoint Products Configuration Wizard (Psconfig). For more information, see Account permissions and security settings in SharePoint Servers.​​​​​​​
• ​​​​​​​​​​​​​​Enables the automatic machine key rotation feature.
• Enhances the AMSI Filter feature module. Changes the default setting to be always on.