Official Microsoft Guidance for MS16-072 Breaking Security Patch

Microsft has just published a post about the MS16-072 hotfix that was release this month. Needless to say there has been a lot of organisation caught off guard by this change wanting to know how to fix the problem. However what is also more confusing is there are actaully two different ways to fix this problem. You can either add back the “Authenticated Users” group with “Read” access or you can add the “Domain Computers” group with read access.

There has also been a lot of debate in the Group Policy community about what is the “best” way to fix this problem. Should you add “Authenticated Users” or “Domain Computers”? Personally i think adding “Authenticated Users” read permission back is the way to do it as this restores the original permission that was removed in the first place. It also means the permission applied to you GPO’s will be consistent which is always highly desirable attribute for supporting any envrionmnet. However, you might have some settings in your GPO that you want to obfuscate from the users. If this is the case then adding “Domain Comptuers” read access is also totally valid. Doing for security filters user Group Policy Objects will mean that that normal users will not be able to read the settings. But, be absolutley clear this will only obfuscates the GPO settings, as a local admin could still conceviable run the as the local machine system account and read the settings. Yes it is a way to hide your organisations settings from a bag guy, but it also might make troubleshooting GPO polices harder as non-domain admins will no longer be able to see all the GPO’s.

Ultimatly it is your decision as to how you want to fix the problem. Either add “Autenticated Users” or “Domain Computers” but either way, make sure you review all your security filtered Group Policy Objects to make sure the permission are added to the GPO so they work.


How to fix broken GPO because of MS16-072

So as many of you may know, yesterday Microsoft released a security hotfix that changed the behavior of Group Policy. Put simply if you have a security group filtered User Group Policy Object and you also removed the “Authenticated Users” group from the policy it will no longer apply after you install MS16-072.

In light of this Ian Farr from Microsoft has released a PowerShell script that identifies all the Group Policy Objects that have “Authenticated Users” removed. It is important to note that not all of the GPO’s are necessarily affected, only the ones that are applied to AD user objects.


In addition to this Microsoft also released a KB outlining the issues and what can be done manually to fix the problem.


Finally, fellow Group Policy MVP Darren Mar-Elia has released a PowerShell script of his own that adds back the “Authenticated Users” read permission to the GPO’s that are missing the permission.


The key take away from this is that it certainly appears that this is going to be a permanent change with how security group filtered GPO’s apply. So going forward be aware that it more than just a Bad Idea to do remove “Authenticated Users”, it could down right break the GPO.


Updated – MS16-072 may break your User Group Policies “by-design”

This is a PSA for all Group Policy administrator about MS16-072 that was release yesterday. This patch fixed a man in the middle attack using Group Policy Update however it appears that it has also changed the behavior that Group Policy is applied. If you have a security filtered group policy that are applied to users AND you have also removed “Authenticated Users” group from the GPO then this GPO will no longer apply to the user.

To workaround this problem you can either remove the patch or add “read” permissions to the “Authenticated Users” group back to the GPO. This allows the computer object to read the policy setting and the policy will then work again. As a reminder I stressed back in 2010 that you should never just remove “Authenticated Users” from your GPO’s and that you should instead simply remove the “Apply” permission for the group. See

No word yet if this is deliberate change in behavior to fix the man in the middle attack or if this is something that will be fixed.

Update: Thanks to Darren Mar-Elia he had discovered that this was actually a documented change in behavior

MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the machines security context.

Forum post

MS16-072 – Important: Security Update for Group Policy (3163622) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (June 14, 2016): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine .

from Microsoft Security Content

New Enterprise improvements coming to IE11 on Windows 7 and 8.1

June 14, 2016 10:00 am

In Windows 10 version 1511, we announced a number of improvements to our collection of Enterprise Mode tools, designed to help customers upgrade more easily to Internet Explorer 11. These tools include a new v.2 Enterprise Mode XML schema, which is designed to be simpler, cleaner, more scalable, and to help ease list management. We also updated the Enterprise Mode Site List Manager tool, allowing you to import an existing v.1 XML file and automatically convert it to the v.2 XML schema. We added support for HTTP ports, and also introduced a new about:compat page in Microsoft Edge and Internet Explorer 11 to help customers better manage their Enterprise Mode Site List.

To provide a stable environment where compatibility is a top priority, our goal is to keep Internet Explorer 11 consistent, no matter what device or platform you use it on. Today, we are excited to announce that many of these improvements are now available for Internet Explorer 11 on Windows 7, Windows 8.1 and Windows 10 (version 1507). These improvements are included in today’s cumulative updates to Windows.

v.2 XML schema now supported on Windows 7, Windows 8.1, and Windows 10

We have received great feedback regarding the updated schema. Customers are finding the new version much easier to read and manage than the previous version.

Below is an example of an Enterprise Mode Site List based on the previous v.1 XML schema:

Compare the same Enterprise Mode Site List using the v.2 XML schema:

Effective today, the v.2 XML schema is now supported on Windows 7 and Windows 8.1, in addition to Windows 10.

We encourage customers to migrate their existing site lists using v.1 to leverage v.2. Going forward, new features will only be brought to the v.2 XML schema. Customers should not consider moving to the v.2 XML schema until this patch lands on all of their devices.

The Enterprise Mode Site List Manager tools have been renamed accordingly to reflect the new support matrix:

Internet Explorer 11 and Microsoft Edge both have, and use, their own Enterprise Mode Site List. We highly recommend using one shared list between both browsers to simplify manageability and maintenance. You can reference the same XML file in either browser’s policy setting.

about:compat now available on Windows 7, Windows 8.1, and Windows 10

The about:compat page in Microsoft Edge and Internet Explorer 11 helps customers manage their Enterprise Mode Site List by listing all of the compatibility features you or Microsoft have applied to sites on the client machine.

Effective today, the about:compat page in Internet Explorer 11 is also available on Windows 7 and Windows 8.1, in addition to Windows 10.

We rely on feedback from our customers to continue making improvements to our enterprise tooling. Your input helps us prioritize and make these products better, so we look forward to hearing what you think! You can reach us on Twitter or in the comments below.

— Alec Oot, Senior Program Manager
— Josh Rennert, Program Manager

Updated June 14, 2016 10:11 am

from IEBlog