Microsoft June Patch Breaks Group Policy Settings for Some Orgs
Update 6/22: Microsoft's Directory Services team today published a more thorough explanation about what changed and how IT pros should address the MS16-072 patch, which can be found in this article, as described in this Redmondmag.com article.
Update 7/6: Microsoft added an explanation about "security filtering" and the effects of the patch.
One of Microsoft's 17 patch Tuesday security releases issued this month has caused problems with Group Policy Object settings for some organizations that applied it.
Security update MS16-072 was designed to fix a potential man-in-the-middle attack security flaw in Windows, according to Microsoft's Knowledge Base article KB3163622. However, users have complained that their Group Policy settings were broken after applying the update, and drive mappings were off, including those for printers. The problems typically went away after uninstalling the update, users said.
Microsoft has updated its KB3163622 article to include a "known issues" explanation for this Group Policy problem. In essence, MS16-072 changes how Group Policies work. With the update applied, Group Policies work based on the machine's security context, instead of based on the user's security context. Here's how Microsoft explained it:
MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers' computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user's security context. After MS16-072 is installed, user group policies are retrieved by using the machines security context.
The cause of the GPO problems, according to Microsoft's article, was missing Read permissions for Authenticated Users. Alternatively, organizations may be missing Read permissions and they may have also used security filtering.
Here's Microsoft's solution:
To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:
- Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
- If you are using security filtering, add the Domain Computers group with read permission.
Microsoft also published a PowerShell script "to help identify GPOs, from the current domain, that might experience the issue once the update is applied," according to Ian Farr, a senior support consultant at Microsoft's Global Business Support group. The script "lists GPOs that may need the 'Authenticated Users' read permission or 'Domain Computers' read permission adding," Farr explained.
Microsoft Most Valuable Professional Emin Atac also published scripts in a blog post that will check for GPOs without Authenticated Users, along with scripts to add them back. He recommended running them before applying the MS16-072 security patch.
In addition, suggestions for fixing the problem were described in this GPanswers.com article.
IT pros writing in the Patchmanagement.org list-serve forum debated whether the use of security filtering with GPOs was the issue. It may or may not be a recommended approach by Microsoft (there's a debate). However, former Microsoft MVP Rod Trent noted in a WindowsITPro article that this month's patch problems can't wholly be the fault of IT pros since Microsoft didn't issue a fix until after delivering a patch that "caused customer pain." However, he suggested that testing the patch beforehand could have saved some grief for IT pros.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.