MS14-022 Known Issues

6/4/2014 Update:

As we are seeing Service Pack 1 and post-Service Pack 1 binaries being delivered with MS14-022, and there are fewer known issues with SharePoint 2013 Service Pack 1 farms, I would strongly recommend that SP1 be applied prior to installing MS14-022 or if that is not possible, as soon as possible after applying MS14-022. One of the MS14-022 knowledge base articles has also been updated to note that pre-SP1 farms must also install KB2880963.

Many of the known issues have active support cases open with Product Support Services at Microsoft, but if you’re experiencing one of these issues, opening another one does not hurt. Remember that product bugs (especially issues relating to a security hotfix) may be refundable if PSS and/or the product group can reproduce the bug in their environment. For those customers who have MSDN subscriptions, certain levels of MSDN subscriptions also come with support cases which you can leverage for these types of issues.

9/9/2014 Update:

The double encoding issue is resolved in the SharePoint 2013 September 2014 Cumulative Update. Please use the CU instead of applying the below workaround.


There are a few known issues with the security update, MS14-022 (Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2952166)). Most of these issues have been observed in SharePoint 2013, although some of them may also be present in SharePoint 2010. MS14-022 appears to contain many SP1 and/or post-SP1 binaries.

For SharePoint Server 2013 Pre-SP1 farms:

  1. The Office 365 links in Central Administration are now present, unsure of their functionality status.

  2. An error appears in the SharePoint Management Shell when it is opened. This has been previously associated with installing Foundation SP1 on Server.

Method 'Upgrade' in type 'Microsoft.SharePoint.WorkflowServices.WorkflowServiceApplicationProxy' from assembly 'Microsoft.SharePoint.WorkflowServices, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c' does not have an implementation.
  1. A behavior introduced to pre-SP1 farms that the SharePoint Product Group will be producing messaging on (this is both a bug and a behavior change).

For SP1 and Pre-SP1 farms:

  1. The April 2014 CU Classic to Claims conversion bug with Convert-SPWebApplication bug is present in MS14-022. (Fixed in the June 2014 Cumulative Update)

  2. “%25” is added to the URL when searching within the farm (Content Query Webparts, and elsewhere), otherwise known as the “double encoding” bug. (Workaround provided in this post) - 9/9/2014 - This issue is resolved in the SharePoint 2013 September 2014 Cumulative Update. Please use the CU instead of applying the below workaround.

While this security update is classified as Critical, this is a patch I would run through extended testing in a non-production farm if the production farm is currently not running Service Pack 1.

Trevor Seward is a Microsoft Office Apps and Services MVP who specializes in SharePoint Server administration, hybrid scenarios, and SharePoint Online. He has been working with SharePoint for 16 years from SharePoint 2003 on up, managing environments with terabytes of content for 150,000+ user organizations. Trevor is an author of Deploying SharePoint 2016 and Deploying SharePoint 2019. You can find him on Twitter and in /r/sharepoint.