[German]Is anyone affected by the GPO-MMC wsecedit.dll error in Windows Server 2016 caused by security update KB4577015 dated September 8, 2020? There is a temporary workaround to prevent the crash. This can be used until a fix from Microsoft is available.
Background to the GPO-MMC wsecedit.dll error
Cumulative update KB4577015 was released by Microsoft on September 8, 2020 as a security update for Windows 10 1607 Enterprise LTSC. The update is also available for Windows Server 2016. I had mentioned the update briefly in the article Patchday: Windows 10 Updates (September 8, 2020).
However, security update KB4577015 from September 8, 2020 causes problems on Windows Server 2016, which acts as domain controller. The group policy editor (gpedit.msc) throws a wsecedit.dll error when loading an MMC snap-in when changing security options. The error occurs when trying to traverse the following path in Group Policy:
Computer Configuration > Windows Setting > Security Settings > Local Policy > Security Options
A gpedit.msc error message appears stating that an MMC snap-in cannot be loaded because a wsecedit.dll error has occurred.
The hint to restart the Group Policy Editor or to ignore the error in the session does not help. The functions for customizing the security options can no longer be used (see my blog post Windows Server 2016: Update KB4577015 throws a GPO MMC wsecedit.dll error). The bug has also be confirmed by users in the post GPMC error for "Security Options" after Updates 2020-09 in Windows Server 2016 Domain Controllers in Microsoft's Q&A.
A workaround for this bug
In this comment Germanblog reader Mario Flohrer points out a workaround, a user has posted in Microsoft's Q&A thread GPMC error for "Security Options" after Updates 2020-09 in Windows Server 2016 Domain Controllers.
The crash can be avoided by deleting the following registry key. Please make sure to export the reg key before deleting anything. Deleting the key will cause the "Interactive logon: Display user information when the session is locked" policy to not appear in the console. (The policy is still effective, but you can't see it in the UI to edit it). You will need to import the key back later, after the fix has been released.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit\Reg Values\MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/System/DontDisplayLockedUserId
So you should export the specified registry key (needed if a fix from Microsoft is available) and then delete the key. Then the error message will not appear. As soon as a fix from Microsoft is available, the key must be imported again.
Cookies helps to fund this blog: Cookie settings
Thanks for this! Yes, I wanted to review the new GPO settings for the CVE-2020-1472 patch released in August, and the MMC always crashed on my Server 2016-based DCs. In my case I also had a Server 2012 R2-based DC and could access that MMC no problem.
This is not limited to the GPO MMC, it happens also on regular standalone and member servers if you launch the Local Security Policy (secpol.msc) and try to access the Security Options.
Deleting the key fixes the issue in this case as well.
Thank you. This popped up just as I was rolling out 2016 to replace 2012. I was worried there was some odd incapability from my 2012 GPO that caused this issue on my new 2016 member servers. Good to know it is a patch that can be corrected. Till then removing the key above allows me to see my Security Options again.