404 Tech Support

June 2016 Windows Update MS16-072 changes the behavior of group policies

If you are experiencing issues with Group Policies not working since installing the June 2016 Windows Updates, you need to be aware of a change that has been made with MS16-072 for security reasons. The vulnerability is identified as CVE-2016-3223. MS16-072 identifies the vulnerability as a man-in-the-middle attack and to prevent it computer credentials are used to read group policy rather than the user’s credentials.

An elevation of privilege vulnerability exists when Microsoft Windows processes group policy updates. An attacker who successfully exploited this vulnerability could potentially escalate permissions or perform additional privileged actions on the target machine.

To exploit this vulnerability, an attacker would need to launch a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine. An attacker could then create a group policy to grant administrator rights to a standard user. The security update addresses the vulnerability by enforcing Kerberos authentication for certain calls over LDAP.

Some threads are reporting problems following KB3159398 and find that uninstalling the update allows User Configurations, including mapped drives, deployed printers, wallpapers, and such to resume working. KB3159398 is part of MS16-072. Another component is KB3163622 which explains this change in behavior. From the ‘Known issues’ section of KB3613622:

Known issues
MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the machines security context. This issue is applicable for the following KB articles:
3159398 MS16-072: Description of the security update for Group Policy: June 14, 2016
3163017 Cumulative update for Windows 10: June 14, 2016
3163018 Cumulative update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: June 14, 2016
3163016 Cumulative Update for Windows Server 2016 Technical Preview 5: June 14 2016
Symptoms

All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.

Cause

This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

Resolution

To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:
Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
If you are using security filtering, add the Domain Computers group with read permission.

The article provides the resolution. As this is not a bug accompanying the update and is instead expected behavior, administrators should not expect an updated patch release to fix the problems. Group Policies that are not being applied have specialized security filtering and the Authenticated Users group does not have the ability to read the policy. By adding Authenticated Users to have Read permission (Apply is not necessary) under the Delegation tab, the problem can be resolved while keeping your organization fully patched to the latest version.