{"id":850,"date":"2016-06-16T00:26:46","date_gmt":"2016-06-15T22:26:46","guid":{"rendered":"http:\/\/borncity.com\/win\/?p=850"},"modified":"2016-06-16T10:40:50","modified_gmt":"2016-06-16T08:40:50","slug":"update-kb3159398-breaks-group-policy-in-windows","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2016\/06\/16\/update-kb3159398-breaks-group-policy-in-windows\/","title":{"rendered":"Update KB3159398 breaks Group Policy in Windows"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" title=\"Update\" style=\"border-left-width: 0px; border-right-width: 0px; border-bottom-width: 0px; float: left; margin: 0px 10px 0px 0px; display: inline; border-top-width: 0px\" border=\"0\" alt=\"Windows Update\" src=\"http:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/02\/Update.jpg\" width=\"40\" align=\"left\" height=\"40\">[<a href=\"http:\/\/www.borncity.com\/blog\/2016\/06\/16\/windows-gpo-update-kb3159398-macht-probleme\/\" target=\"_blank\">German<\/a>]Microsoft's update KB3159398, released on patch day June 14, 2016, is causing serious problems in Windows Group Policy. Remark: Microsoft has updated the KB-Article with a decription of the workaround posted below. And there is a power shell script to fix this issue.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/ssl-vg03.met.vgwort.de\/na\/4ef550434a214c4db3bf7f41b46e5077\" width=\"1\" height=\"1\">I've mentioned the important <a href=\"https:\/\/technet.microsoft.com\/library\/security\/MS16-072\" target=\"_blank\">MS16-072<\/a>: Security Update for Group Policy (3163622) within my blog post <a href=\"https:\/\/borncity.com\/win\/2016\/06\/15\/microsoft-patch-day-june-14-2016\/\">Microsoft Patch day June 14, 2016<\/a>. This security update resolves a vulnerability in Microsoft Windows that could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine. Affected are all Windows versions:<\/p>\n<p>\u2013 Windows Vista Service Pack 2<br \/>\u2013 Windows Vista x64 Edition Service Pack 2<br \/>\u2013 Windows Server 2008 for 32-bit Systems Service Pack 2<br \/>(Windows Server 2008 Server Core installation affected)<br \/>\u2013 Windows Server 2008 for x64-based Systems Service Pack 2<br \/>(Windows Server 2008 Server Core installation affected)<br \/>\u2013 Windows Server 2008 for Itanium-based Systems Service Pack 2<br \/>\u2013 Windows 7 for 32-bit Systems Service Pack 1<br \/>\u2013 Windows 7 for x64-based Systems Service Pack 1<br \/>\u2013 Windows Server 2008 R2 for x64-based Systems Service Pack 1<br \/>(Windows Server 2008 R2 Server Core installation affected)<br \/>\u2013 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1<br \/>\u2013 Windows 8.1 for 32-bit Systems<br \/>\u2013 Windows 8.1 for x64-based Systems<br \/>\u2013 Windows Server 2012<br \/>(Windows Server 2012 Server Core installation affected)<br \/>\u2013 Windows Server 2012 R2<br \/>(Windows Server 2012 R2 Server Core installation affected)<br \/>\u2013 Windows RT 8.1<br \/>\u2013 Windows 10 for 32-bit Systems<br \/>\u2013 Windows 10 for x64-based Systems<br \/>\u2013 Windows 10 Version 1511 for 32-bit Systems<br \/>\u2013 Windows 10 Version 1511 for x64-based Systems<\/p>\n<p>Shortly after release of <a href=\"https:\/\/support.microsoft.com\/en-us\/kb\/3159398\" target=\"_blank\">KB3159398<\/a> I got comments within my German blog about issues with this update. Later on, the technet forum thread <a href=\"https:\/\/social.technet.microsoft.com\/Forums\/en-US\/e2ebead9-b30d-4789-a151-5c7783dbbe34\/patch-tuesday-kb3159398?forum=winserverGP\" target=\"_blank\">Patch Tuesday \u2013 KB3159398<\/a> started with the discussion of further issues. Also a <a href=\"https:\/\/www.reddit.com\/r\/sysadmin\/comments\/4o78yo\/kb3159398_or_kb3164033_seems_to_remove_all\/\" target=\"_blank\">reddit discussion<\/a> startet to discuss issues with printers. It seems that <a href=\"https:\/\/support.microsoft.com\/en-us\/kb\/3159398\" target=\"_blank\">KB3159398<\/a> causes:<\/p>\n<ul>\n<li>breaks desktop shortcuts and icons\n<li>breaks drive mappings\n<li>printer an other GPOs <\/li>\n<\/ul>\n<p>Some users uninstalled update KB3159398 \u2013 but this seems not the best idea. A better workaround has been proposed at the technet forum thread <a href=\"https:\/\/social.technet.microsoft.com\/Forums\/en-US\/e2ebead9-b30d-4789-a151-5c7783dbbe34\/patch-tuesday-kb3159398?forum=winserverGP\" target=\"_blank\">Patch Tuesday \u2013 KB3159398<\/a>. The broken GPOs are caused by a missing read permission for authenticated users. <\/p>\n<ul>\n<li>So firing up group policy management (<em>gpmc.msc<\/em>) on your Windows Server\n<li>Go to the GPO you want to modify, and open the Delegation tab\n<li>add Authenticated Users with Read permission<\/li>\n<\/ul>\n<p>This shall fix the GPO and you should be able to use this GPO again. Hope it helps \u2013 maybe Microsoft will release a revised update KB3159398 soon.<\/p>\n<h3>Postscript: Microsoft has added the workaround desciption<\/h3>\n<p>Microsoft has extended the <a href=\"https:\/\/support.microsoft.com\/en-us\/kb\/3163622\" target=\"_blank\">KB3163622<\/a> (MS16-072: Security update for Group Policy: June 14, 2016) description with the following text. <\/p>\n<blockquote>\n<p><strong>Known issues<\/strong><\/p>\n<p>MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers' computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user's security context. After MS16-072 is installed, user group policies are retrieved by using the machines security context. This issue is applicable for the following KB articles:  <\/p>\n<ul>\n<li><a href=\"https:\/\/support.microsoft.com\/en-us\/kb\/3159398\">3159398<\/a> MS16-072: Description of the security update for Group Policy: June 14, 2016\n<li><a href=\"https:\/\/support.microsoft.com\/en-us\/kb\/3163017\">3163017<\/a> Cumulative update for Windows 10: June 14, 2016\n<li><a href=\"https:\/\/support.microsoft.com\/en-us\/kb\/3163018\">3163018<\/a> Cumulative update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: June 14, 2016\n<li><a href=\"https:\/\/support.microsoft.com\/en-us\/kb\/3163016\">3163016<\/a> Cumulative Update for Windows Server 2016 Technical Preview 5: June 14 2016<\/li>\n<\/ul>\n<p><strong>Symptoms<\/strong><\/p>\n<p>All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.  <\/p>\n<h5>Cause<\/h5>\n<p>This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.<\/p>\n<p><strong>Resolution<\/strong><\/p>\n<p>To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:  <\/p>\n<ul>\n<li>Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).\n<li>If you are using security filtering, add the Domain Computers group with read permission.<\/li>\n<\/ul>\n<\/blockquote>\n<h3>Update: PowerShell script to fix this issue<\/h3>\n<p>My MVP collegue Mark Heitbrink pointed me to the article <a href=\"https:\/\/sdmsoftware.com\/group-policy-blog\/bugs\/new-group-policy-patch-ms16-072-breaks-gp-processing-behavior\/\" target=\"_blank\">New Group Policy Patch MS16-072\u2013 \"Breaks\" GP Processing Behavior<\/a>, where Darren created a powershell script to add the Read Permission to GPOs.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Microsoft's update KB3159398, released on patch day June 14, 2016, is causing serious problems in Windows Group Policy. Remark: Microsoft has updated the KB-Article with a decription of the workaround posted below. And there is a power shell script to &hellip; <a href=\"https:\/\/borncity.com\/win\/2016\/06\/16\/update-kb3159398-breaks-group-policy-in-windows\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22,2],"tags":[166,219,35,236,194],"class_list":["post-850","post","type-post","status-publish","format-standard","hentry","category-update","category-windows","tag-issues","tag-patch-day","tag-troubleshooting","tag-update-kb3159398","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/850","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=850"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/850\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=850"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=850"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=850"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}