Posted on September 26, 2016 · Posted in Group Policies

MS16-072 Update Break Some Group Policies

In June 2016, Microsoft released security updates that changed the standard mechanism of applying Windows group policies. The updates in question released in MS16-072 security bulletin of June 14, 2016, are to eliminate vulnerabilities in the GPO mechanism. Let’s consider why this update has been released and what a system administrator has to know about the changes in GPO application.

MS16-072 updates eliminate the vulnerability, which allows a hacker to use Man in the middle (MiTM) type of attack and get access to the traffic between a computer and domain controller. To protect against this vulnerability, MS developers decided to change the security context of obtaining policies. If earlier user policies were obtained in the context of user security, after MS16-072 installation, user policies are obtained in the context of computer security.

As a result, many users have found that after the updates from this bulletin have been installed, some policies stop to be applied. GPOs with standard extensions having Read and Apply Group Policy privileges for Authenticated Users group enabled in Security Filtering are applied as usual. The problem appears only in policies with the configured Security Filtering, in which Authenticated Users group does not have any privileges.

GPO security filtering breaks after MS16-072

Earlier, MS always recommended to delete Authenticated Users group and add a user security group with Read and Apply privileges if you had to use Security Filtering.

After the installation of MS16-072 / KB3159398, a computer account also has to possess Read privileges to get access to a GPO object for a policy to be successfully applied.

Since both user and computer accounts fall under Authenticated Users, after you delete this group, the access to the GPO is blocked.

GPO permissions : authenticated users - read , apply

To solve this problem, delete the update (not quite right, but an effective way) or add Domain Computers (only Read privileges) group on the Delegation tab for all policies with user group security filtering using GPMC.MSC.

gpo security: add domain computers read permissions

Thus, domain computers will get the Read privilege for this policy.

Note. User groups must still have Read and Apply privileges for the policy.

To find all GPO objects in the domain with no Authenticated Users group in Security Filtering, you can use the following script:

Get-GPO -All | ForEach-Object {
if ('S-1-5-11' -notin ($_ | Get-GPPermission -All).Trustee.Sid.Value) {
} | Select DisplayName

find policy with SID S-1-5-11  missing in gpo permission

For large and complex infrastructures with a confusing group policy structure, you can use a more convenient PowerShell script MS16-072 – Known Issue – Use PowerShell to Check GPOs to find problem policies.

Related Articles