MS16-072 may cause problems Group Policy

Discussion in 'other software & services' started by FanJ, Jun 16, 2016.

  1. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    MS16-072 may cause problems with respect to Group Policy.

    https://support.microsoft.com/en-us/kb/3163622

    There are postings about it. To name a few:
    http://www.theinquirer.net/inquirer/news/2461827/patch-tuesday-balls-up-reveals-hidden-system-drives

    http://www.theregister.co.uk/2016/06/15/microsoft_fix_borks_group_policy/

    https://social.technet.microsoft.co...e34/patch-tuesday-kb3159398?forum=winserverGP
    And more ...

    Maybe it would be good to read the Known Issues at MS16-072 and the Symptoms, Cause and Resolution there in case you are affected, this might solve your problems.
     
  2. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    It was also posted by Dragon1952 in the "Bork Tuesday" thread, reply # 2383 , here.
     
  3. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    I'll try to give the info that MS is giving at this moment in KB 3163622, revision 4.0 .

    Quotes from Know Issues and further down there:

    MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer's security context. This issue is applicable for the following KB articles:

    • 3159398 MS16-072: Description of the security update for Group Policy: June 14, 2016

    • 3163017 Cumulative update for Windows 10: June 14, 2016

    • 3163018 Cumulative update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: June 14, 2016

    • 3163016 Cumulative Update for Windows Server 2016 Technical Preview 5: June 14 2016

    Symptoms

    All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.

    Cause

    This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

    Resolution

    To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:
    • Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
    • If you are using security filtering, add the Domain Computers group with read permission.
     
  4. topo

    topo Registered Member

    Joined:
    Nov 11, 2013
    Posts:
    66
    would this update cause problems with cryptoprevent program and/or daily use of average user just surfing the web? thanks win764bit
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,087
    As I understand it affects computer joining domains, so it shouldn't create problems with stand-alone systems?
     
  6. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    261
    Location:
    USA
    I just applied the update and it did not cause any problems when I ran the cryptoprevent self-test. (However, I observed previously that cryptoprevent showed expired signing certificates as of May 7, 2016 and wonder if anyone else has noticed this.)
     
Loading...