Windows Server 2016: Workaround for GPO-MMC wsecedit.dll error

[German]Is anyone affected by the GPO-MMC wsecedit.dll error in Windows Server 2016 caused by security update KB4577015 dated September 8, 2020? There is a temporary workaround to prevent the crash. This can be used until a fix from Microsoft is available.


Advertising

Background to the GPO-MMC wsecedit.dll error

Cumulative update KB4577015  was released by Microsoft on September 8, 2020 as a security update for Windows 10 1607 Enterprise LTSC. The update is also available for Windows Server 2016. I had mentioned the update briefly in the article Patchday: Windows 10 Updates (September 8, 2020).

However, security update KB4577015 from September 8, 2020 causes problems on Windows Server 2016, which acts as domain controller. The group policy editor (gpedit.msc) throws a wsecedit.dll error when loading an MMC snap-in when changing security options. The error occurs when trying to traverse the following path in Group Policy:

Computer Configuration > Windows Setting > Security Settings > Local Policy > Security Options

A gpedit.msc error message appears stating that an MMC snap-in cannot be loaded because a wsecedit.dll error has occurred. 

gpedit.msc error


Advertising

The hint to restart the Group Policy Editor or to ignore the error in the session does not help. The functions for customizing the security options can no longer be used (see my blog post Windows Server 2016: Update KB4577015 throws a GPO MMC wsecedit.dll error). The bug has also be confirmed by users in the post GPMC error for "Security Options" after Updates 2020-09 in Windows Server 2016 Domain Controllers in Microsoft's Q&A.

A workaround for this bug

In this comment Germanblog reader Mario Flohrer points out a workaround, a user has posted in Microsoft's Q&A thread GPMC error for "Security Options" after Updates 2020-09 in Windows Server 2016 Domain Controllers.

The crash can be avoided by deleting the following registry key. Please make sure to export the reg key before deleting anything. Deleting the key will cause the "Interactive logon: Display user information when the session is locked" policy to not appear in the console. (The policy is still effective, but you can't see it in the UI to edit it). You will need to import the key back later, after the fix has been released.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit\Reg Values\MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/System/DontDisplayLockedUserId

So you should export the specified registry key (needed if a fix from Microsoft is available) and then delete the key. Then the error message will not appear. As soon as a fix from Microsoft is available, the key must be imported again.


Advertising

This entry was posted in issue, Windows and tagged , . Bookmark the permalink.

4 Responses to Windows Server 2016: Workaround for GPO-MMC wsecedit.dll error

  1. Sir_Timbit says:

    Thanks for this! Yes, I wanted to review the new GPO settings for the CVE-2020-1472 patch released in August, and the MMC always crashed on my Server 2016-based DCs. In my case I also had a Server 2012 R2-based DC and could access that MMC no problem.

  2. This is not limited to the GPO MMC, it happens also on regular standalone and member servers if you launch the Local Security Policy (secpol.msc) and try to access the Security Options.
    Deleting the key fixes the issue in this case as well.

  3. Jon says:

    Thank you!

  4. SZ says:

    Thank you. This popped up just as I was rolling out 2016 to replace 2012. I was worried there was some odd incapability from my 2012 GPO that caused this issue on my new 2016 member servers. Good to know it is a patch that can be corrected. Till then removing the key above allows me to see my Security Options again.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).