1022 Microsoft 730X392

Microsoft have recently released an update which is effecting servers and the group policies they use to secure networks, install printers, map drives and all the other wonderful things that they do.

The patch  was created to prevent a theoretical “man in the middle attack” when  GPOs are downloaded from your servers to your endpoints. However, when the patch is applied, there is a “double increase” in security, one with an unintended consequence.

The consequence is that some GPOs will no longer apply or be picked up by the user when you expect them to. Unless a specific user group is added to the policy at server level. You could call this a “breaking change”. However, we think Microsoft wanted this behaviour updated.  It's not the end of the world Armageddon bad; it’s simply somewhat inconvenient to fix and make right again.

How do I fix it?!

If you're not sure of any of the steps below, we recommend you have an experienced IT professional assist you. Don't have one? Contact one of our team!

If you want to manually update any existing GPO to then recover from this breaking change, there are two possible manual ways:

  • Add Domain Computers to the Security Filter as seen here.

  • Add Domain Computers “indirectly”, by using the Delegation | Advanced and specifying READ but NOT “Apply Group Policy” as seen here.
  • If you want to automatically buzz through all of your GPOs and find the ones with problems. Here’s a quick PowerShell script.

If you want to automatically fix all your GPOs, there are two ways to do it:

  • One-liner PowerShell script as follows:

    Get-GPO -All | Set-GPPermissions -TargetType Group -TargetName "Domain computers" -PermissionLevel GpoRead

The update is installed on local clients and shows as KB3159398 within your installed updates list.

Why did Microsoft make this change?

The Official Microsoft Response to the patch can be found here.


 If you find you're experiencing issues with any of the above, please contact us, we're happy to help!