Microsoft’s June 16 Security Patch Breaks Group Policy Settings

Earlier today we received a support call from one of our educational clients with a strange issue around Group Policy.  The reason it was strange is that it was only affecting certain devices around the school, even after Group Policy Updates forcing them to run the same policy versions as a working machine on the desk opposite.  After a lot of testing we narrowed it down to be related to a Windows Update… (Nothing new a lot of you will now be thinking)

It turns out that one of Microsoft’s Patch Tuesday security releases issued this month has caused problems with Group Policy Object settings for some organisations that applied it, either by default and / or without in-depth testing.

The update in question is in fact Security Update MS16-072, which was designed to fix a potential man-in-the-middle attack security flaw in Windows; according to Microsoft’s Knowledge Base article KB3163622. However, various users have since complained that their Group Policy settings were broken after applying the update, and drive mappings were off and for some even print mappings. Users also reported that after removing the update the problems would go away.

Microsoft has since updated its article KB3163622 to include a “known issues” explanation for this Group Policy issue. In reality what MS16-072 actually does is change how Group Policies work. With the update applied, Group Policies work based on the machine’s security context, instead of based on the user’s security context.

Here’s how Microsoft have explained it:

MS16-072 changes the security context with which user group policies are retrieved. This by-design behaviour change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the machines security context.

The cause of the GPO problems, according to Microsoft’s article, was missing Read permissions for Authenticated Users. Alternatively, organisations may be missing Read permissions and they may have also used security filtering.

Here is the Microsoft solution:

To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

  • Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
  • If you are using security filtering, add the Domain Computers group with read permission.

Microsoft also published a PowerShell script “to help identify GPO’s, from the current domain, that might experience the issue once the update is applied” according to Ian Farr, a senior support consultant at Microsoft’s Global Business Support group. The script will list “GPO’s that may need the ‘Authenticated Users’ read permission or ‘Domain Computers’ read permission adding” Farr explained.

As well as the scripts on Microsoft’s official pages; Emin Atac, one of Microsoft’s Most Valuable Professionals also published scripts in a blog post that will check for GPO’s without Authenticated Users, along with scripts to add them back. He recommended “running them before applying the MS16-072 security patch”.

So to any of our clients experiencing this issue – or more importantly to those who have not yet come across it… Please Please check your GPO’s prior to rolling out this Microsoft June Security Patch.