On the 14th June Microsoft released KB3159398, this update was produced to close a potential Man in The Middle (MiTM) vulnerability. To achieve this update Microsoft has changed the approach to Group Policy permissions they have adopted for the last 16 years.
Where we have restricted a GPO to only certain users and removed the default “authenticated users” permission from the security filtering section, replacing it with our own user or group, application of the GPO will fail. When “Authenticated Users” are removed from the security filtering section, the implied read permission is also removed, which means we will be unable to evaluate the policy generating an error.
Fortunately, fixing our GPO’s is simple. Simply edit the policy and update the security permissions for the GPO while in edit mode, here we can simply grant Authenticated Users read permissions again. Only users with the Apply Group Policy permission will have the policy applied.
Blog by Dean Lockwood, Solutions Architect