MS16-072 may break Group Policy configurations - gHacks Tech News

MS16-072 may break Group Policy configurations

Microsoft released 16 security bulletins as part of the June 2016 Patch Day of which one, MS16-072, is causing serious issues on some computer configurations.

The security update patches a vulnerability in Windows that could result in elevation of privilege during a man in the middle attack.

The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine.

The update changes  the security context in which user group policies are retrieved. Previously, group policies were always retrieved by using the user's security context. Starting with the installation of MS16-072, user group policies are retrieved using the computer's security context instead.

Group Policy issues caused by MS16-072

group policy

While that makes sense from a security point of view, it led to severe issues on domain joined computers as all policies may fail on those systems.

The cause for this according to Microsoft is a missing read permission for the Authenticated User group, or missing read permissions for the domain computers group. Basically, what happens is that the policies cannot be read due to the missing permissions.

Considering that all policies may not be applied to a user or machine after installing MS16-072, it is clear that this may cause serious issues in business environments.

This ranges from simple things such as background images not showing up to serious ones like hidden drives showing up, changes in Windows Update, blocked features or tools becoming available, printers becoming inaccessible, and a lot more that may cause serious issues in those environments.

Administrators who are in a hurry can uninstall KB3159398, KB3163017, KB3163018 or KB3163016 and reboot affected machines to return to the status quo.

Microsoft's solution

Microsoft recommends other solutions, and it is probably a good idea to install the security update eventually. The security context change was done on purpose, and Microsoft won't modify the patch to resolve the issue in some other way.

This means that you will need to apply Microsoft's solution on affected machines. Thankfully, it is not lengthy or complicated, but requires access to the Group Policy Management Console (gpmc.msc).

  • Option 1: Add the Authenticated Users group with read permissions on the Group Policy Object.
  • Option 2: If security filtering is used, add the Domain Groups group with read permissions.
Summary
MS16-072 may break Group Policy configurations
Article Name
MS16-072 may break Group Policy configurations
Description
Microsoft released 16 security bulletins as part of the June 2016 Patch Day of which one, MS16-072, is causing serious issues on some computer configurations.
Author
Publisher
Ghacks Technology News
Logo




  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Xi said on June 17, 2016 at 9:25 am
      Reply

      What the normal & pro users need to do? Uninstall KB3159398 or would need to use any other workaround?
      Also, gpmc.msc can’t be accessed/not found on Win 7/8/8.1 editions which have access to Group Policy.

      Normal users would be confused and worried while reading this post. Hence, please add a note for normal users about what they should do.

      1. Martin Brinkmann said on June 17, 2016 at 9:53 am
        Reply

        This only applies to domain joined computers. If you are using a home computer, this won’t affect you.

    2. Joseph C. said on June 17, 2016 at 2:42 pm
      Reply

      THANK YOU!!! This was very timely for me and your article saved me lots of grief this morning. Granting Authenticated users Read access work perfectly.

    3. Anonymous said on June 18, 2016 at 11:54 pm
      Reply

      Thanks Martin!
      This has been vexing me for a few days, looked everywhere for issue but should have started by looking at WSUS 1st!

    Leave a Reply