Microsoft explains the KB3159398 GPO problem

Microsoft's update KB3159398, released on patch day June 14, 2016, is causing serious problems in Windows Group Policy. Now Microsoft explains what's happened.


I've addressed this issue in blog post Update KB3159398 breaks Group Policy in Windows. Some users are explaining already, what's happened (see New Group Policy Patch MS16-072– "Breaks" GP Processing Behavior). Finally, Microsoft has also addressed this issue in a Technet blog post Who broke my user GPOs? on June 5, 2016.

What did I miss.

We released new security patches for all currently supported Operating Systems. Among those patches was this one: MS 16-072, which is also referenced as KB 3163622. OS Specific articles are released as 3159398, 3163017, 3163018, and 3163016.

KB 3159398 – Vista, 2008, 7, 2008 R2, 2012, 8.1, 2012 R2
KB 3163017 – Windows 10 TH1
KB 3163018 – Windows 10 TH2 and Server 2016 TP4
KB 3163016 – Server 2016 TP5

After applying the appropriate patch to your systems, User group policies are retrieved from SYSVOL differently than before. Prior to the update, domain joined computers used the user's security context to make the connection and retrieve the policies. After the update is applied, domain joined computers will now retrieve all policies using the computer security context. The users that get the policy is still controlled by the policy scope just like before. The only change is the computer is getting the policy for the user.

Further details and explanations may read in the article Who broke my user GPOs?.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Update, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *