[German]Is anyone affected by the GPO-MMC wsecedit.dll error in Windows Server 2016 caused by security update KB4577015 dated September 8, 2020? There is a temporary workaround to prevent the crash. This can be used until a fix from Microsoft is available.
Background to the GPO-MMC wsecedit.dll error
Cumulative update KB4577015 was released by Microsoft on September 8, 2020 as a security update for Windows 10 1607 Enterprise LTSC. The update is also available for Windows Server 2016. I had mentioned the update briefly in the article Patchday: Windows 10 Updates (September 8, 2020).
However, security update KB4577015 from September 8, 2020 causes problems on Windows Server 2016, which acts as domain controller. The group policy editor (gpedit.msc) throws a wsecedit.dll error when loading an MMC snap-in when changing security options. The error occurs when trying to traverse the following path in Group Policy:
Computer Configuration > Windows Setting > Security Settings > Local Policy > Security Options
A gpedit.msc error message appears stating that an MMC snap-in cannot be loaded because a wsecedit.dll error has occurred.
The hint to restart the Group Policy Editor or to ignore the error in the session does not help. The functions for customizing the security options can no longer be used (see my blog post Windows Server 2016: Update KB4577015 throws a GPO MMC wsecedit.dll error). The bug has also be confirmed by users in the post GPMC error for “Security Options” after Updates 2020-09 in Windows Server 2016 Domain Controllers in Microsoft’s Q&A.
A workaround for this bug
In this comment Germanblog reader Mario Flohrer points out a workaround, a user has posted in Microsoft’s Q&A thread GPMC error for “Security Options” after Updates 2020-09 in Windows Server 2016 Domain Controllers.
The crash can be avoided by deleting the following registry key. Please make sure to export the reg key before deleting anything. Deleting the key will cause the “Interactive logon: Display user information when the session is locked” policy to not appear in the console. (The policy is still effective, but you can’t see it in the UI to edit it). You will need to import the key back later, after the fix has been released.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit\Reg Values\MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/System/DontDisplayLockedUserId
So you should export the specified registry key (needed if a fix from Microsoft is available) and then delete the key. Then the error message will not appear. As soon as a fix from Microsoft is available, the key must be imported again.
Cookies helps to fund this blog: Cookie settings