Select Page
This entry has been published on 2016-08-21 and may be out of date.

Last Updated on 2016-08-21.

[:en]Nowadays it seems like Windows domain administrators will have to test every single Windows update separately and in a test environment before deploying, which is nearly impossible in many cases. WSUS was very reliable a few years ago, and only working updates were released. You could have accepted hundreds of updates at once and there was not one problem. Unfortunately, this time is over.

One current example is KB3163622. It comes via WSUS and might cost hours of searching for errors in your group policy objects. It causes every GPO which affects only small groups or single users NOT to be applied.

At last, it also affects e.g. Windows 7 or other OS not in the update description (it might only get installed on your 2012 R2 domain controller(s), so the workstations could receive “wrong” GPO informations).

The update basically seems to be well-intentioned, as it is defined as a security update for Man-in-the-middle attacks. But there is no explicit information or warning that existing GPOs would simply be ignored under certain circumstances (which do not contain any insecure setting).

Workaround

If you experience GPOs not being applied with this update, add the security group “Domain computers” (German: Domänencomputer) to your GPO.

This is quite weird, but it works. At least, there is no side effect if you e.g. only use “User configuration” in your GPO.

One fact which is even more confusing: If the GPO is assigned to group “Authenticated Users” (German: Authentifizierte Benutzer), it works like before – you do not have to add the domain computers group.

 

References:

https://support.microsoft.com/en-us/kb/3163622

http://www.infoworld.com/article/3084930/microsoft-windows/microsoft-acknowledges-permission-problems-with-ms16-072-patches-kb-3159398-3163017-3163018-3163016.html

https://social.technet.microsoft.com/Forums/windowsserver/en-US/d47ce0e9-122b-4418-aac9-3bed20fe38f9/solved-certain-gpos-not-applying-unless-user-is-local-admin?forum=winserverGP[:]