[German]Microsoft's update KB3159398, released on patch day June 14, 2016, is causing serious problems in Windows Group Policy. Remark: Microsoft has updated the KB-Article with a decription of the workaround posted below. And there is a power shell script to fix this issue.
I've mentioned the important MS16-072: Security Update for Group Policy (3163622) within my blog post Microsoft Patch day June 14, 2016. This security update resolves a vulnerability in Microsoft Windows that could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine. Affected are all Windows versions:
– Windows Vista Service Pack 2
– Windows Vista x64 Edition Service Pack 2
– Windows Server 2008 for 32-bit Systems Service Pack 2
(Windows Server 2008 Server Core installation affected)
– Windows Server 2008 for x64-based Systems Service Pack 2
(Windows Server 2008 Server Core installation affected)
– Windows Server 2008 for Itanium-based Systems Service Pack 2
– Windows 7 for 32-bit Systems Service Pack 1
– Windows 7 for x64-based Systems Service Pack 1
– Windows Server 2008 R2 for x64-based Systems Service Pack 1
(Windows Server 2008 R2 Server Core installation affected)
– Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
– Windows 8.1 for 32-bit Systems
– Windows 8.1 for x64-based Systems
– Windows Server 2012
(Windows Server 2012 Server Core installation affected)
– Windows Server 2012 R2
(Windows Server 2012 R2 Server Core installation affected)
– Windows RT 8.1
– Windows 10 for 32-bit Systems
– Windows 10 for x64-based Systems
– Windows 10 Version 1511 for 32-bit Systems
– Windows 10 Version 1511 for x64-based Systems
Shortly after release of KB3159398 I got comments within my German blog about issues with this update. Later on, the technet forum thread Patch Tuesday – KB3159398 started with the discussion of further issues. Also a reddit discussion startet to discuss issues with printers. It seems that KB3159398 causes:
- breaks desktop shortcuts and icons
- breaks drive mappings
- printer an other GPOs
Some users uninstalled update KB3159398 – but this seems not the best idea. A better workaround has been proposed at the technet forum thread Patch Tuesday – KB3159398. The broken GPOs are caused by a missing read permission for authenticated users.
- So firing up group policy management (gpmc.msc) on your Windows Server
- Go to the GPO you want to modify, and open the Delegation tab
- add Authenticated Users with Read permission
This shall fix the GPO and you should be able to use this GPO again. Hope it helps – maybe Microsoft will release a revised update KB3159398 soon.
Postscript: Microsoft has added the workaround desciption
Microsoft has extended the KB3163622 (MS16-072: Security update for Group Policy: June 14, 2016) description with the following text.
Known issues
MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers' computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user's security context. After MS16-072 is installed, user group policies are retrieved by using the machines security context. This issue is applicable for the following KB articles:
- 3159398 MS16-072: Description of the security update for Group Policy: June 14, 2016
- 3163017 Cumulative update for Windows 10: June 14, 2016
- 3163018 Cumulative update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: June 14, 2016
- 3163016 Cumulative Update for Windows Server 2016 Technical Preview 5: June 14 2016
Symptoms
All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.
Cause
This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.
Resolution
To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:
- Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
- If you are using security filtering, add the Domain Computers group with read permission.
Update: PowerShell script to fix this issue
My MVP collegue Mark Heitbrink pointed me to the article New Group Policy Patch MS16-072– "Breaks" GP Processing Behavior, where Darren created a powershell script to add the Read Permission to GPOs.
See also this site that presents a solution.