MS16-072 may break Group Policy configurations
The security update patches a vulnerability in Windows that could result in elevation of privilege during a man in the middle attack.
The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine.
The update changes the security context in which user group policies are retrieved. Previously, group policies were always retrieved by using the user's security context. Starting with the installation of MS16-072, user group policies are retrieved using the computer's security context instead.
Group Policy issues caused by MS16-072
While that makes sense from a security point of view, it led to severe issues on domain joined computers as all policies may fail on those systems.
The cause for this according to Microsoft is a missing read permission for the Authenticated User group, or missing read permissions for the domain computers group. Basically, what happens is that the policies cannot be read due to the missing permissions.
Considering that all policies may not be applied to a user or machine after installing MS16-072, it is clear that this may cause serious issues in business environments.
This ranges from simple things such as background images not showing up to serious ones like hidden drives showing up, changes in Windows Update, blocked features or tools becoming available, printers becoming inaccessible, and a lot more that may cause serious issues in those environments.
Microsoft recommends other solutions, and it is probably a good idea to install the security update eventually. The security context change was done on purpose, and Microsoft won't modify the patch to resolve the issue in some other way.
This means that you will need to apply Microsoft's solution on affected machines. Thankfully, it is not lengthy or complicated, but requires access to the Group Policy Management Console (gpmc.msc).
- Option 1: Add the Authenticated Users group with read permissions on the Group Policy Object.
- Option 2: If security filtering is used, add the Domain Groups group with read permissions.