Microsoft Explains Group Policy Changes Caused by June Security Patch
Microsoft's Directory Services team has now published a more thorough explanation about how a June security patch, MS16-072, will change Group Policy functionality for organizations.
The explanation can be found in this article. The MS16-072 patch fixes a man-in-the-middle theoretical attack flaw in Windows. However, in doing so, it changed the "security context with which user group policies are retrieved" for organizations using Group Policy. With the June Windows security patch applied, Group Policy settings now get based on machine's security context, rather than on the user's security context.
That functionality change, which Microsoft pushed out "by design," caused grief for many IT pros that thought they were applying what seemed to be just another Windows security fix. The patch essentially broke network mappings and settings for some organizations. For background, please see this Redmondmag.com article.
If an organization had used security filtering on Group Policy Objects, then they may have seen the following problem areas, according to the Directory Services article:
- Printers or mapped drives assigned through Group Policy Preferences disappear.
- Shortcuts to applications on users' desktop are missing
- Security filtering group policy does not process anymore
- You may see the following change in gpresult: Filtering: Not Applied (Unknown Reason)
Uninstalling MS16-072 was said to have fixed the problem for some organizations, but it's clearly not a permanent fix. It doesn't fix the underlying Windows security hole, nor does it address the fact that Microsoft is basically pushing down new Group Policy functionality -- and it's using a security patch to do it, which might not be the approach expected by IT pros.
IT pros laboring in the patch management field typically are used to rolling with the punches. However, there were many complaints this time around that Microsoft didn't give advance notice about this coming Group Policy change. The June 22 article from the Microsoft Directory Services may be helpful in that respect, but it arrived eight days after Microsoft's MS16-072 patch arrived.
It's just another lesson, perhaps, that while Microsoft has directed its development teams to be "agile" in pushing down software updates, most organizations put a premium on stability and being able to manage change in their computing environments. The two goals seem to be at odds.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.