[German]Security update KB4577015, released September 8, 2020, causes a wsecedit.dll error in GPO-MMC on Windows Server 2016, rendering the Group Policy Editor unusable. But there is a temporary workaround to prevent the crash and Microsoft has admitted the bug in the meantime.
The bug in GPO-MMC
I've addressed the bug within my blog post Windows Server 2016: Update KB4577015 throws a GPO MMC wsecedit.dll error. Administrators who install the security update KB4577015 from September 8, 2020 on Windows Server 2016 get a problem. The Group Policy Editor (gpedit.msc) throws a wsecedit.dll error when loading an MMC snap-in when changing security options. The error occurs when trying to traverse the following path in Group Policy:
Computer Configuration > Windows Setting > Security Settings > Local Policy > Security Options
A gpedit.msc error message appears stating that an MMC snap-in cannot be loaded because a wsecedit.dll error has occurred.
The hint to restart the Group Policy Editor or to ignore the error in the session does not help. The hint to restart the Group Policy Editor or to ignore the error in the session does not help. The functions for customizing the security options can no longer be used. There is now a fresh entry GPMC error for "Security Options" after Updates 2020-09 in Windows Server 2016 Domain Controllers in Microsoft's Q&A. There several users confirmed the error description. There I had also left a comment about the issue reported from several of my blog readers.
Microsoft confirms the error
The colleagues from Bleeping Computer spottet that Microsoft has confirmed this bug on the status page for Windows 10 version 2016 and Windows Server 2016. There it says:
Unable to access Security Options section in Group Policy Management Console
Accessing the Security Options data view in the Group Policy Management Editor (gpedit.msc) or Local Security Policy Editor (secpol.msc) might fail with the error "MMC has detected an error in a snap-in. It is recommended that you shut down and restart MMC" or "MMC cannot initialize the snap-in". This occurs from the MMC window, when the console tree is expanded in the following sequence: select Computer Configuration, then Policies, then Windows Settings, then Security Settings, then Local Policies, then Security Options.
The resulting error dialog provides options to continue using the Management Console to view other nodes normally. Note: This issue does not affect the application of the Security Options or any other Group Policy Objects (GPOs) to devices in your environment.
- Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server 2016
Workaround: To mitigate this issue, you can install Remote Administrative tools on a device running Windows 10, version 1709 or later. This will allow you to run Group Policy Management Console and edit GPOs on the affected server.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
This is the error description I posted above. Microsoft is working on fixing the error and wants to roll out a correction with the next update release. As a workaround, it is recommended to use the Remote Administrator tools on another machine running Windows 10 version 1709 or higher. I had suggested an alternative way in form of a temporary registry intervention (see Windows Server 2016: Workaround for GPO-MMC wsecedit.dll error). The workaround works and was suggested a week ago by a user (as well as the Microsoft solution) in Microsoft's Q&A in the post GPMC error for "Security Options" after Updates 2020-09 in Windows Server 2016 Domain Controllers.
Windows Server 2016: Update KB4577015 throws a GPO MMC wsecedit.dll error
Windows Server 2016: Workaround for GPO-MMC wsecedit.dll error
Cookies helps to fund this blog: Cookie settings