MS16-072 may break Group Policy configurations - gHacks Tech News

MS16-072 may break Group Policy configurations

Microsoft released 16 security bulletins as part of the June 2016 Patch Day of which one, MS16-072, is causing serious issues on some computer configurations.

The security update patches a vulnerability in Windows that could result in elevation of privilege during a man in the middle attack.

The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine.

The update changes  the security context in which user group policies are retrieved. Previously, group policies were always retrieved by using the user's security context. Starting with the installation of MS16-072, user group policies are retrieved using the computer's security context instead.

Group Policy issues caused by MS16-072

group policy

While that makes sense from a security point of view, it led to severe issues on domain joined computers as all policies may fail on those systems.

The cause for this according to Microsoft is a missing read permission for the Authenticated User group, or missing read permissions for the domain computers group. Basically, what happens is that the policies cannot be read due to the missing permissions.

Considering that all policies may not be applied to a user or machine after installing MS16-072, it is clear that this may cause serious issues in business environments.

This ranges from simple things such as background images not showing up to serious ones like hidden drives showing up, changes in Windows Update, blocked features or tools becoming available, printers becoming inaccessible, and a lot more that may cause serious issues in those environments.

Administrators who are in a hurry can uninstall KB3159398, KB3163017, KB3163018 or KB3163016 and reboot affected machines to return to the status quo.

Microsoft's solution

Microsoft recommends other solutions, and it is probably a good idea to install the security update eventually. The security context change was done on purpose, and Microsoft won't modify the patch to resolve the issue in some other way.

This means that you will need to apply Microsoft's solution on affected machines. Thankfully, it is not lengthy or complicated, but requires access to the Group Policy Management Console (gpmc.msc).

  • Option 1: Add the Authenticated Users group with read permissions on the Group Policy Object.
  • Option 2: If security filtering is used, add the Domain Groups group with read permissions.
Summary
MS16-072 may break Group Policy configurations
Article Name
MS16-072 may break Group Policy configurations
Description
Microsoft released 16 security bulletins as part of the June 2016 Patch Day of which one, MS16-072, is causing serious issues on some computer configurations.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Xi said on June 17, 2016 at 9:25 am
    Reply

    What the normal & pro users need to do? Uninstall KB3159398 or would need to use any other workaround?
    Also, gpmc.msc can’t be accessed/not found on Win 7/8/8.1 editions which have access to Group Policy.

    Normal users would be confused and worried while reading this post. Hence, please add a note for normal users about what they should do.

    1. Martin Brinkmann said on June 17, 2016 at 9:53 am
      Reply

      This only applies to domain joined computers. If you are using a home computer, this won’t affect you.

  2. Joseph C. said on June 17, 2016 at 2:42 pm
    Reply

    THANK YOU!!! This was very timely for me and your article saved me lots of grief this morning. Granting Authenticated users Read access work perfectly.

  3. Anonymous said on June 18, 2016 at 11:54 pm
    Reply

    Thanks Martin!
    This has been vexing me for a few days, looked everywhere for issue but should have started by looking at WSUS 1st!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.