Following some reports of bad patches from Microsoft this months, we have denied KB3159398 and KB3161561 for the moment. There is not enough info on the potential impact, so we will wait to see what others find in the next week.
More info as follows:
KB3159398 – MS16-072: Security Update for Group Policy
This patch is rated Important. We are delaying its release for at least one week. During the coming week we will work on ways to identify systems that might have problems KB3159398 with and create agent procedures to mitigate them. We will update this article next Friday (June 24) with our recommendations.
MS16-072 “breaks some Group Policy settings: drives appear on domain systems that should be hidden, mapping drives don’t work, and other typical GPO settings aren’t getting applied.”
Per Microsoft’s known issues:
MS16-072 changes the security context with which user group policies are retrieved. This by-design behaviour change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer’s security context.
Symptoms: All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.
KB3161561 – MS16-075: Security Update for Windows SMB Server and MS16-076: Security Update for Netlogon
This patch is rated Important. While the “headlines” this week have been dominated by KB3159398 we have seen a handful of reports that KB3161561 is causing problems – “access denied errors during group policy processing” and “2008 R2 DC started blue screening” Microsoft has not yet confirmed any issues. However because the number of reports appears to be growing we will delay the release of KB3161561 for one week. We will update this article next Friday (June 24) with our recommendations.