Microsoft Explains Group Policy Changes Caused by June Security Patch

Microsoft's Directory Services team has now published a more thorough explanation about how a June security patch, MS16-072, will change Group Policy functionality for organizations.

The explanation can be found in this article. The MS16-072 patch fixes a man-in-the-middle theoretical attack flaw in Windows. However, in doing so, it changed the "security context with which user group policies are retrieved" for organizations using Group Policy. With the June Windows security patch applied, Group Policy settings now get based on machine's security context, rather than on the user's security context.

That functionality change, which Microsoft pushed out "by design," caused grief for many IT pros that thought they were applying what seemed to be just another Windows security fix. The patch essentially broke network mappings and settings for some organizations. For background, please see this article.

If an organization had used security filtering on Group Policy Objects, then they may have seen the following problem areas, according to the Directory Services article:

  • Printers or mapped drives assigned through Group Policy Preferences disappear.
  • Shortcuts to applications on users' desktop are missing
  • Security filtering group policy does not process anymore
  • You may see the following change in gpresult: Filtering: Not Applied (Unknown Reason)

Uninstalling MS16-072 was said to have fixed the problem for some organizations, but it's clearly not a permanent fix. It doesn't fix the underlying Windows security hole, nor does it address the fact that Microsoft is basically pushing down new Group Policy functionality -- and it's using a security patch to do it, which might not be the approach expected by IT pros.

IT pros laboring in the patch management field typically are used to rolling with the punches. However, there were many complaints this time around that Microsoft didn't give advance notice about this coming Group Policy change. The June 22 article from the Microsoft Directory Services may be helpful in that respect, but it arrived eight days after Microsoft's MS16-072 patch arrived.

It's just another lesson, perhaps, that while Microsoft has directed its development teams to be "agile" in pushing down software updates, most organizations put a premium on stability and being able to manage change in their computing environments. The two goals seem to be at odds.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.