Windows August 2024 updates breaks new Item-Level Targeting in GPOs

Posted on 2024-08-22 by guenni

Windows[German]I'll pull out one topic separately, which was brought to my attention by readers in comments and also directly by email. Administrators who installs the security updates from the August 2024 patch day (August 13, 2024) on their Windows systems (clients, servers) could run into  the problem, that new Item-Level Targeting in GPOs is broken. Here is some information about this problem.

Advertising

Windows new Item-Level Targeting in GPOs

Group Policy Preferences (GPP) allow administrators to specify computer and user configuration settings. GPP also provides filtering of settings using item-level targeting, which allows settings to be applied precisely to a subset of users or computers, as Microsoft explains here.

Reports of broken GPO target group addressing

Shortly after the patchday, various users reported that the August 2024 update broke the new Item-Level Targeting in GPOs (GPO target group addressing).

Report #1 about issues

In the discussion section of my German IT blog, user techee reported that the August 2024 updates were destroying parts of the new Item-Level Targeting in GPOs. He was able to reproduce this on a Windows Server 2022.

Report #2 about issues

On August 20, 2024, Michael R. wrote to me by email with the subject "August Update breaks new Item-Level Targeting in GPOs" because he had run into that issue too. He wrote about this:

Here is a short info about a problem with the cumulative Windows Update for August 2024.

As soon as the update is installed on a computer, there are issues with GPP target group addressing (new Item-Level Targeting)  – tested with Windows 11 and Windows Server 2022.

Specifically, the "Users in group" option can no longer be selected in the target group addressing under "Shared options" (see the screenshot below from a German Windows). Only the "Computers in group" option is active.

Zielgruppenadressierung

Advertising

The screenshot above, which Michael sent me, illustrates the bug. Both techee and Michael refer to a Reddit post where a user reports the same thing.

Report #3 about issues on reddit.com

The reddit.com post titled KB5041578 Breaks new Item-Level Targeting in GPOs mentions an update that is causing problems:

Looks like this breaks the ability to select "Users in Groups" for Security Groups Item Level targeting for GPOs.

Have two domains, one was patched last night, no domain controllers with KB5041578 installed can select "Users in Groups", it's greyed out. Domain that wasn't patched still had the option available. Uninstalled KB5041578 on one of the domain controllers, able to select "Users in Groups" again.

Existing GPOs are fine, hasn't broken those, only creation of new ones. If you already have an object listed with a user group selected, you can change it, it's still selected, but greyed out.

Be wary patching this if you need to make more of these.

Edit: GPP, any option, was noticed first for Printer mapping, but tried other GPPs and couldn't do User in Groups for any. Windows Server 2019. Haven't tried Powershelling yet.

For Windows Server 2019, this is caused by update KB5041578. For Windows Server 2022, however, it is KB5041160, which blocks the option to select Users in group. The affected person has verified this by uninstalling the update under Windows Server 2022. The option was then selectable again.

Here, a German user reports that since installing the August 2024 update under Windows Server 2019, GPO reporting no longer works for him.

A workaround

German Ex MVP, Mark Heitbrink, proposed the following two workarounds in the comments of my German blog post:

  • Select computer in group
  • select group so that the sid is entered
  • Save
  • drag item from the desktop
  • correct with notepad
  • integrate item via copy paste, delete the other one

And he proposed a 2nd workaround: Change via the XML – set the flag/attribute/entry to userContext="1" (0=Computer is in Group, in the case of the ILT).

German blog reader Carsten confirmed in this comment: I can also see this on Server 2022 DCs. The option is simply grayed out. However, this does not seem to affect existing GPOs. At least it shows the "userContext=1" in the XML when I open an older GPO.

Similar articles:
Microsoft Security Update Summary (August 13, 2024)
Patchday: Windows 10/Server Updates (August 13, 2024)
Patchday: Windows 11/Server 2022-Updates (August 13, 2024)
Windows Server 2012 / R2 and Windows 7 (August 13, 2024)

Windows Server 2019/Windows 10 Enterprise 2019 LTSC: Performance Issues with Update KB5041578
Windows August 2024 update 'paralyzes' Linux boot

Advertising
This entry was posted in issue, Update, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).