Microsoft last week released security update bulletin MS 16-072. This upgrade seeks to improve security with Group Policy implementations, however due to the way it works, it actually can break the application of GPO in certain environments. Environments such as SBS 2003 R2, SBS 2008 and SBS 2011 are subject to this problem. The result would be that if you install this patch you will find the WSUS group policies no longer apply to the machines in the environment.
Other environments outside SBS may also be affected if you use the security filtering of Group Policy and you elect to ONLY have the chosen groups in there that you want the GPO to apply to. The solution is to add the Authenticated Users group with READ permission. Note this will NOT permit the GPO to APPLY to those users, simply that they can READ the given GPO.
This problem effects KS KB3159398, KB3163018, KB3163018.
Here’s a few articles which talk about this issue in far more depth. I’d recommend reading more on this.
The original Security Bulletin MS16-072 https://technet.microsoft.com/library/security/MS16-072
Microsoft acknowledge the issue here on KB3163622 https://support.microsoft.com/en-us/kb/3163622
And here’s two articles that describe a script you can run on your AD Domain to see if you are subject to the issue and then a second one that talks more indepth and includes a script that will do some basic fixes of your GPOs in your domain.
I’m doing testing right now on SBS 2011 and will report back further on this later.
[…] to the blog post I put up yesterday, I’ve now done additional testing and found that the script referenced in the article here is not […]