Microsoft Explains Group Policy Changes Caused by June Security Patch

Microsoft's Directory Services team has now published a more thorough explanation about how a June security patch, MS16-072, will change Group Policy functionality for organizations.

The explanation can be found in this article. The MS16-072 patch fixes a man-in-the-middle theoretical attack flaw in Windows. However, in doing so, it changed the "security context with which user group policies are retrieved" for organizations using Group Policy. With the June Windows security patch applied, Group Policy settings now get based on machine's security context, rather than on the user's security context.

That functionality change, which Microsoft pushed out "by design," caused grief for many IT pros that thought they were applying what seemed to be just another Windows security fix. The patch essentially broke network mappings and settings for some organizations. For background, please see this article.

If an organization had used security filtering on Group Policy Objects, then they may have seen the following problem areas, according to the Directory Services article:

  • Printers or mapped drives assigned through Group Policy Preferences disappear.
  • Shortcuts to applications on users' desktop are missing
  • Security filtering group policy does not process anymore
  • You may see the following change in gpresult: Filtering: Not Applied (Unknown Reason)

Uninstalling MS16-072 was said to have fixed the problem for some organizations, but it's clearly not a permanent fix. It doesn't fix the underlying Windows security hole, nor does it address the fact that Microsoft is basically pushing down new Group Policy functionality -- and it's using a security patch to do it, which might not be the approach expected by IT pros.

IT pros laboring in the patch management field typically are used to rolling with the punches. However, there were many complaints this time around that Microsoft didn't give advance notice about this coming Group Policy change. The June 22 article from the Microsoft Directory Services may be helpful in that respect, but it arrived eight days after Microsoft's MS16-072 patch arrived.

It's just another lesson, perhaps, that while Microsoft has directed its development teams to be "agile" in pushing down software updates, most organizations put a premium on stability and being able to manage change in their computing environments. The two goals seem to be at odds.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • How To Create a Windows Deployment Image, Part 1

    While there are various methods for creating custom Windows deployment images, the process has a reputation for being tedious and convoluted.

  • Azure Cost Management Now Commercially Available for Some Tenancies

    Microsoft on Monday announced that its Azure Cost Management feature had reached the "general availability" release stage for both Azure "pay-as-you-go" customers and Azure Government tenancies.

  • Microsoft Bringing Files Restore Capability to SharePoint Online and Teams

    Microsoft on Monday announced that it's delivering its Files Restore feature for SharePoint Online and Microsoft Teams to Office 365 tenancies as early as this month.

  • Microsoft Nabs IoT Platform Provider Express Logic

    As part of its plan to invest $5 billion in IoT technologies, Microsoft this week acquired Express Logic, which provides real-time operating systems for industrial embedded and IoT devices.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.