Yesterday, I raised a red flag about a security patch from Microsoft this week that is breaking Group Policy for a number of customers.
The issue, as it turns out, is due to how customers have implemented Group Policy permissions.
In the sconfig prompt you can select options ‘5’ to enter the update settings configuration and then choose: A – Automatically scan, download and install updates. D – Automatically scan, download updates M – Never check for updates, trigger manually.
Open a command prompt with administrative permissions and run SCONFIG from there.
This by-design behavior change protects customers’ computers from a security vulnerability.This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group Power Shell script: MS16-072 – Known Issue – Use Power Shell to Check GPOs So, while it seems Microsoft is sort of blaming customers for their implementations of Group Policy security, there's a bigger factor here I hope doesn't get lost in the shuffle.We can thank Microsoft for delivering the recommended resolutions, but those didn't deliver until AFTER the patch caused customer pain.Although installation and configuration of WSUS server is very simple but there are many steps involved.Please let me know about your experience in comments while I get ready to publish my next post.