Windows Server 2016: Update KB4577015 throws a GPO MMC wsecedit.dll error

[German]Security update KB4577015, dated September 8, 2020, causes problems on Windows Server 2016, which acts as the domain controller. The Group Policy Editor (gpedit.msc) throws a wsecedit.dll error when loading an MMC snap-in when changing security options.


Advertising

I’ve been notified by serveral users about this issue (see e.g. this German comment), so  I’m pulling it out separately here in a post.

Windows Update KB4577015 (Sept. 8, 2020)

Cumulative update KB4577015 was released by Microsoft on September 8, 2020 as a security update for Windows 10 1607 Enterprise STSC. The update is also available for Windows Server 2016. I had mentioned the update briefly in the article Patchday: Windows 10-Updates (September 8, 2020). It adds time zone information for Yokon (Canada) and fixes a number of security issues. Microsoft also adds the item Provides the ability to set a Group Policy that displays only the domain and username when you sign in. However, it seems that something has gone wrong with the various fixes.

Group Policy Editor on Windows Server 2016 broken

Besides the above comment there was already a call for help from another administrator, which I addressed in the blog post Windows 10 V1607: Update KB4571694 creates ID 5827 events, bricks MMC. The administrator of a virtualized Windows Server 2016 Datacenter Edition encountered a wsecedit.dll error when loading an MMC snap-in while using the Group Policy Editor. Th attempts to traverse the following path in Group Policy:

Computer Configuration > Windows Setting > Security Settings > Local Policy > Security Options

fails with a gpedit.msc error message. A MMC snap-in cannot be loaded because a wsecedit.dll error has occurred.


Advertising

gpedit.msc error

The hint to restart the Group Policy Editor or to ignore the error in the session does not help. The functions for customizing the security options can no longer be used. There is now a fresh entry GPMC error for “Security Options” after Updates 2020-09 in Windows Server 2016 Domain Controllers in Microsoft’s Q&A. There several users confirm the following error description:

We have found that if a Windows Server 2016 DC has been patched with the current Cumulative Update 2020-09 and Servicing Stack Update 2020-09, the “Security Options” in a policy can no longer be opened in the GPMC afterwards.

Cumulative update KB4577015 from September 8, 2020 is the culprit, as I have now been confirmed by various sources. It seems to affect all versions or variants of Windows Server 2016 – and probably also Windows 10 version 1607 Enterprise LTSC. Maybe this information will help.

Addendum: There ist a workaround to avoid the crash, see my blog post Windows Server 2016: Workaround for GPO-MMC wsecedit.dll

Similar articles:
Windows 10 V1607: Update KB4571694 creates ID 5827 events, bricks MMC
Patchday: Windows 10-Updates (September 8, 2020)


Advertising


This entry was posted in issue, Update, Windows and tagged , , . Bookmark the permalink.

8 Responses to Windows Server 2016: Update KB4577015 throws a GPO MMC wsecedit.dll error

  1. Rich W says:

    Thank you! Good to know it’s not just me.

  2. Joe says:

    This happened to me as well.

    Has anyone alerted MS on this?

  3. Joe says:

    I opened a case on this with MS

    • guenni says:

      Thx – I’ve forwarded the link to this blog post via Twitter to Windows Update Social Media Team – but no feedback till yet.

  4. Advertising

  5. Joe says:

    Update from MS…

    Regarding your SR above for the update released on Sept 8th, Yes, we are aware of the issue, this is related to a bug in the patch, but thank you for bringing it up.
    There is a workaround this, until the fix is addressed in the next patch updated expected to be released in October.

    Workaround

    • Use a non-RS1 OS to edit GPOs. For example, install the GP admin tools to a client OS.
    • The crash can be avoided by deleting the following registry key. Please make sure to export the reg key before deleting anything. Deleting the key will cause the “Interactive logon: Display user information when the session is locked” policy to not appear in the console. (The policy is still effective, but you can’t see it in the UI to edit it). You will need to import the key back later, after the fix has been released. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit\Reg Values\MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/System/DontDisplayLockedUserId

    If no action is done, the Fix will be released in the October patch updates.

  6. Keynon says:

    Joe –
    I sure appreciate it when people take the time to post quick fixes and workarounds like this one! Was able to set the Group Policy needed thanks to this post! Thank you!

  7. elvisghost says:

    Created batch file which applies and rolls back this registry fix

    https://pastebin.com/5ykrj0gH

Leave a Reply to guenni Cancel reply

Your email address will not be published. Required fields are marked *