The security update patches a vulnerability in Windows that could result in elevation of privilege during a man in the middle attack.
The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine.
The update changes the security context in which user group policies are retrieved. Previously, group policies were always retrieved by using the user's security context. Starting with the installation of MS16-072, user group policies are retrieved using the computer's security context instead.
While that makes sense from a security point of view, it led to severe issues on domain joined computers as all policies may fail on those systems.
The cause for this according to Microsoft is a missing read permission for the Authenticated User group, or missing read permissions for the domain computers group. Basically, what happens is that the policies cannot be read due to the missing permissions.
Considering that all policies may not be applied to a user or machine after installing MS16-072, it is clear that this may cause serious issues in business environments.
This ranges from simple things such as background images not showing up to serious ones like hidden drives showing up, changes in Windows Update, blocked features or tools becoming available, printers becoming inaccessible, and a lot more that may cause serious issues in those environments.
Microsoft recommends other solutions, and it is probably a good idea to install the security update eventually. The security context change was done on purpose, and Microsoft won't modify the patch to resolve the issue in some other way.
This means that you will need to apply Microsoft's solution on affected machines. Thankfully, it is not lengthy or complicated, but requires access to the Group Policy Management Console (gpmc.msc).
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.