MS16-072 breaks Group Policy

The Microsoft hotfix MS16-072 (KB 3159398) released June 14 2016 will break fundamental parts of traditional Group Policy processing. After the hotfix is installed on a client computer no Group Policy objects that use security filtering to user groups will no longer be applied.

This is done on purpose by Microsoft through a design change delivered in a Windows Update security fix that silently changes the way GPO must be configured to work. All Group Policy Objects configured in the way Microsoft has recommended the last 16 years will stop to work.

Group Policy Objects with default permissions will work. GPO that only applies to computers will work. GPO with security filtering to user groups will typically not work after the update.

GPO-2

A quick review of how Group Policy security filtering works. If a Group Policy Object should be applied to an end user this user must have two specific allow permissions: READ and APPLY GROUP POLICY.

By default a new GPO has a number of permissions with different access levels, but only one entry has both “read” and “apply group policy”: the special group “Authenticated Users“.

Despite the name “Authenticated Users” actually includes both logged on users but also computer objects from either the same domain or a trusted domain.

This means that a default GPO will be applied to all users and computers located in some OU to which the GPO are linked somewhere above.

To filter a GPO to only hit a certain amount of users and not everyone in the linked OU tree the Microsoft recommendation has always been to remove the Authenticated Users group and add the user group and make sure they have READ and APPLY GROUP POLICY.

GPO-8

If using the “Security Filtering” option in Group Policy Management Console these two permissions were given automatically by just selecting the group.

After the MS16-072 / KB3159398 update this will no longer work for any user filtered GPO. A change is made to the client computer in the way the Group Policy are processed and the computer account must now also have READ permission to the Group Policy Object. Note that the user group must still have the Read and Apply GP as before.

GPO-7

To fix this issue either uninstall the MS16-072 or add a read permission for Domain Computers on each and every GPO that use security filtering to user groups.

Note that only read should be given. Do not use the Security Filtering option on the Scope tab since this will also set the Apply GP permission.

Make sure the old user group is still on the Access Control List, it should not be changed.

GPO-5

Note that this workaround is only needed if the Authenticated Users group was removed when configuring the GPO. If the group are still present with READ but not APPLY GROUP POLICY there will not be any issue. This is due to computers being included in the Authenticated Users group and through this has the necessary permissions.

Note also that the delegation tab does not give all information. The best option is to use Delegation tab / Advanced to view the true ACL.

Customers installing the MS06-072 update without changing all GPO in advance will unfortunately suffer mayor production impact. It goes without saying that this kind of design changes by Microsoft should not be handled in such way.