The patches all aimed at fixing Group Policy, but in the end they break Group Policy Credit: Thinkstock Problems are being reported with the MS16-072/KB 3163622 patch. Admins are saying it breaks some Group Policy settings: drives appear on domain systems that should be hidden, mapping drives don’t work, and other typical GPO settings aren’t getting applied. Although initial reports of misbehaving GPOs appeared for Windows 7 client PCs, it looks like the bug applies to Windows 7 clients, Windows 8.1, and even all versions of Windows 10 clients. The patch in question rolled out on Patch Tuesday. Very early on Thursday morning, Microsoft updated the KB 3163622 article with this explanation: MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the machines security context. This issue is applicable for the following KB articles: 3159398 MS16-072: Description of the security update for Group Policy: June 14, 2016 3163017 Cumulative update for Windows 10: June 14, 2016 3163018 Cumulative update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: June 14, 2016 3163016 Cumulative Update for Windows Server 2016 Technical Preview 5: June 14 2016 Symptoms All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers. Cause This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group. Resolution To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps: Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO). If you are using security filtering, add the Domain Computers group with read permission. Apparently, admins also have the option of simply pulling the patch. As of early Thursday morning, none of the other KB articles have been updated to reflect this acknowledged problem. They don’t contain warnings about the bug or its solution. Related content opinion On a personal note... Woody Leonhard looks back a bit, looks ahead to retirement — and shares good news about who's picking up the Windows patching torch. By Woody Leonhard Nov 09, 2020 3 mins Small and Medium Business Computers Windows news analysis Get Microsoft's October patches installed — and seriously consider Win10 2004 Odd ancillary patches have their problems, but the mainstream October patches look pretty reliable. The big question: Is Win10 version 2004 up to your stability standards. I’m skeptical -- especially because it has few worthwhile improvements. By Woody Leonhard Oct 30, 2020 6 mins Small and Medium Business Microsoft Computers news analysis Microsoft Patch Alert: October 2020 The big news with this month’s patches – aside from the usual smorgasbord of strange errors – has more to do with the patches that are outside the regular cumulative update stream. Remarkably, we didn’t get any security fixes By Woody Leonhard Oct 22, 2020 189 mins Small and Medium Business Microsoft Office Microsoft news analysis With Patch Tuesday here, be sure Windows Update is paused With all the flotsam floating around, it’s easy to lose sight of Second Tuesdays. October’s arrives tomorrow and, with it, another round of Windows and Office patches. Take a minute to make sure you aren’t in the front lines, as eve By Woody Leonhard Oct 12, 2020 5 mins Small and Medium Business Microsoft Windows Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe