Microsoft's update KB3159398, released on patch day June 14, 2016, is causing serious problems in Windows Group Policy. Now Microsoft explains what's happened.
Advertising
I've addressed this issue in blog post Update KB3159398 breaks Group Policy in Windows. Some users are explaining already, what's happened (see New Group Policy Patch MS16-072– "Breaks" GP Processing Behavior). Finally, Microsoft has also addressed this issue in a Technet blog post Who broke my user GPOs? on June 5, 2016.
What did I miss.
We released new security patches for all currently supported Operating Systems. Among those patches was this one: MS 16-072, which is also referenced as KB 3163622. OS Specific articles are released as 3159398, 3163017, 3163018, and 3163016.
KB 3159398 – Vista, 2008, 7, 2008 R2, 2012, 8.1, 2012 R2
KB 3163017 – Windows 10 TH1
KB 3163018 – Windows 10 TH2 and Server 2016 TP4
KB 3163016 – Server 2016 TP5After applying the appropriate patch to your systems, User group policies are retrieved from SYSVOL differently than before. Prior to the update, domain joined computers used the user's security context to make the connection and retrieve the policies. After the update is applied, domain joined computers will now retrieve all policies using the computer security context. The users that get the policy is still controlled by the policy scope just like before. The only change is the computer is getting the policy for the user.
Further details and explanations may read in the article Who broke my user GPOs?.
