Windows update changes Group Policy Security Filtering (MS16-072)

With the 14. June 2016 patches, Microsoft released a Windows update that changes how Security Filtering is processed for Group Policies, and this change may cause group policies to fail on company computers.

To solve the potential issue, follow the instructions below and ensure to apply one of the recommended resolution steps.

MS16-072: Security update for Group Policy: June 14, 2016

Symptoms

All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.

Cause

Before MS16-072 is installed, user group policies were retrieved by using the user’s security context.

After MS16-072 is installed, user group policies are retrieved by using the computer’s security context.

Issues may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group, or if you are using security filtering and are missing the Read permissions for the Domain Computers group.

Recommended resolution

To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of these steps:

  • Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
  • If you are using custom security filtering, add the Domain Computers group with Read permission to each policy.

The Domain Computers group is by default part of the Authenticated Users group, and you only need to add Domain Computers to the GPO with Read permissions, if you want to avoid Authenticated Users having Read permission to some Group Policy Objects.

To solve issues related to the MS16-072, it is not required to also grant the the “Apply group policy” permission to Authenticated Users group, as this may completely change the target of the policy settings.

Affected Software:

  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2   (Windows Server 2008 Server Core installation affected)
  • Windows Server 2008 for x64-based Systems Service Pack 2   (Windows Server 2008 Server Core installation affected)
  • Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1   (Windows Server 2008 R2 Server Core installation affected)
  • Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
  • Windows 8.1 for 32-bit Systems
  • Windows 8.1 for x64-based Systems
  • Windows Server 2012   (Windows Server 2012 Server Core installation affected)
  • Windows Server 2012 R2   (Windows Server 2012 R2 Server Core installation affected)
  • Windows RT 8.1
  • Windows 10 for 32-bit Systems
  • Windows 10 for x64-based Systems
  • Windows 10 Version 1511 for 32-bit Systems
  • Windows 10 Version 1511 for x64-based Systems

Impact:                            Elevation of Privilege
Version Number:         1.0
Reference:                       https://support.microsoft.com/en-us/kb/3163622

To get an overview of your environment, the following cmdlet can be used to generate a report for all Group Policies in the current domain:

Get-GPOReport -All -ReportType Html -Path C:\TEMP\GPOReportsAll.html

Search for errors:    “Reason Denied: Inaccessible, Empty or Disabled”

 

UPDATE

To get an overview of the affected policies, Ian Farr “PoSh Chap” from Microsoft’s Global Business Support group, have created a PowerShell script that queries all GPO’s and output colored warnings for the policies where the Security Filtering must be adjusted to avoid issues related to the MS16-072 update.

clip_image001

Besides the Red output, that relates to policies requiring a change of their Security Filtering (refer to the resolution steps above in this post), the PowerShell script also displays these three types of INFORMATION output:

  • Yellow – the GPO does not have an Authenticated Users permission, but does contain a Domain Computers permission
  • Yellow – the GPO has an Authenticated Users permission that is not “GpoApply” (Read / Apply) or “GpoRead” (Read)
  • White – the GPO has the expected Authenticated Users permission.
PowerShell script:

#Load GPO module
Import-Module GroupPolicy

#Get all GPOs in current domain
$GPOs = Get-GPO -All

#Check we have GPOs
if ($GPOs) {

#Loop through GPOs
Foreach ($GPO in $GPOs) {

#Nullify $AuthUser & $DomComp
$AuthUser = $null
$DomComp = $null

#See if we have an Auth Users perm
$AuthUser = Get-GPPermissions -Guid $GPO.Id -TargetName “Authenticated Users” -TargetType Group -ErrorAction SilentlyContinue

#See if we have the ‘Domain Computers perm
$DomComp = Get-GPPermissions -Guid $GPO.Id -TargetName “Domain Computers” -TargetType Group -ErrorAction SilentlyContinue

#Alert if we don’t have an ‘Authenticated Users’ permission
if (-not $AuthUser) {

#Now check for ‘Domain Computers’ permission
if (-not $DomComp) {
Write-Host “WARNING: $($GPO.DisplayName) ($($GPO.Id)) does not have an ‘Authenticated Users’ permission or ‘Domain Computers’ permission – please investigate” -ForegroundColor Red
}   #end of if (-not $DomComp)
else {

#COMMENT OUT THE BELOW LINE TO REDUCE OUTPUT!
Write-Host “INFORMATION: $($GPO.DisplayName) ($($GPO.Id)) does not have an ‘Authenticated Users’ permission but does have a ‘Domain Computers’ permission” -ForegroundColor Yellow
}   #end of else (-not $DomComp)
}   #end of if (-not $AuthUser)
elseif (($AuthUser.Permission -ne “GpoApply”) -and ($AuthUser.Permission -ne “GpoRead”)) {

#COMMENT OUT THE BELOW LINE TO REDUCE OUTPUT!
Write-Host “INFORMATION: $($GPO.DisplayName) ($($GPO.Id)) has an ‘Authenticated Users’ permission that isn’t ‘GpoApply’ or ‘GpoRead'” -ForegroundColor Yellow
}   #end of elseif (($AuthUser.Permission -ne “GpoApply”) -or ($AuthUser.Permission -ne “GpoRead”))
else {

#COMMENT OUT THE BELOW LINE TO REDUCE OUTPUT!
Write-Output “INFORMATION: $($GPO.DisplayName) ($($GPO.Id)) has an ‘Authenticated Users’ permission”
        }   #end of else (-not $AuthUser)
    }   #end of foreach ($GPO in $GPOs)
}   #end of if ($GPOs)

Reference:  https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/

Leave a Reply