Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Security update for Group Policy, KB 3159398, breaks Group Policy

    Home Forums AskWoody blog Security update for Group Policy, KB 3159398, breaks Group Policy

    This topic contains 32 replies, has 3 voices, and was last updated by  jadIT 4 months, 3 weeks ago.

    • Author
      Posts
    • #40797 Reply

      woody
      Da Boss

      I’m coming up to speed on this one, on a very busy Wednesday morning. Anything new to add? From DC_FS on the TechNet forum: I found out that if you gi
      [See the full post at: Security update for Group Policy, KB 3159398, breaks Group Policy]

    • #40798 Reply

      jadIT
    • #40799 Reply

      jcarl

      Confirmed in our test environment. Looks like it’s breaking user policies applied to user OU’s.

      Havent confirmed or finished testing to see if it affects filtered policies yet.

    • #40800 Reply

      PkCano

      As per KB3050265, if you used Group Policies to block Win10 upgrade….what then???

    • #40801 Reply

      woody
      Da Boss

      I haven’t seen any indication, anywhere that the Group Policies for blocking Win10 have been overridden. Microsoft is still sticking to its rules of engagement.

    • #40802 Reply

      Anonymous

      Is this client side or domain controller side?

    • #40803 Reply

      woody
      Da Boss

      Only report I’ve seen says controller side.

    • #40804 Reply

      toliver2112

      I personally would not recommend the delegation of Read access to any security filtered GPO as mentioned above. This may work around the patch issue but could actually be detrimental. Unless Microsoft gives us a convincing reason why we should do this will all of our GPOs that use security filtering, I’d prefer just not applying the patch until a fix is produced.

      On a side note, I now count 3 months running (and perhaps more) where Microsoft has really munged things up for a fairly large segment of their customer base.

    • #40805 Reply

      Allan

      @woody:

      Is it safe to install this update if one does not have Group Policy? Thanks.

      Windows 8.1 Home, 64 bit.

    • #40806 Reply

      woody
      Da Boss

      I doubt that it’s even offered!

      If it is, just keep in mind that we’re at MS-DEFCON 2 — the downside of installing right now is greater than the upside of improved… whatever.

    • #40807 Reply

      Tom

      I have Windows 7 Home Premium 64-bit and this particular update is also offered on my machine.

      And W7 Home Premium doesn’t even have that feature if I recall correctly.

      So at this moment I’m not sure anymore on what machines M$ is deploying this patch.

    • #40808 Reply

      ch100
      AskWoody MVP

      I found out that if you give the Group authenticated users the right to read the GPO (Just Read, not to Apply the GPO) then the Policies work again.

      Any setup of Group Policies security which does not give Authenticated Users Read access is incorrect, although 90% of administrators do just that when they do security filtering based on groups or users. It is possible to remove Authenticated Users from the set of permissions, but instead all computers involved need to be added to the set of permissions which is generally missed. The safest way is to leave Authenticated Users which include all Domain Computers in the set of ACLs as Read at minimum.

    • #40809 Reply

      ch100
      AskWoody MVP

      It is well documented by Microsoft that the Authenticated Users built-in group is recommended to have Read permissions on all GPOs. It is not a workaround, is official recommendation, although not mandatory.
      Please read my other reply for details to understand why it is so. The alternatives just make the setup more complex and difficult to control.

    • #40810 Reply

      Thomas Spero

      Woody,
      Anything on KB3162835? I see we went back to DEFCON 2.
      Thanks,
      TomS

    • #40811 Reply

      woody
      Da Boss

      If you’re in the Aleutians or Hovd, Mongolia, you might want to get this one installed real quick. For everybody else, manana por manana…

      https://support.microsoft.com/en-us/kb/3162835

    • #40812 Reply

      Allan

      @woody

      Yes, I have it listed. I haven’t downloaded or installed it yet, but it is a security update marked “Important”.

    • #40813 Reply

      woody
      Da Boss

      Interesting. OK, ignore it for now. 🙂

    • #40814 Reply

      louis

      @woody,

      Yup…As of yesterday, I also have it listed as Important on my W7 SP1 x64 machine.

    • #40815 Reply

      Liam

      We saw it remove print queues which were deployed by user Group Policy. Haven’t seen any other impact from it. We were only deploying it to a test container. Have removed it via SCCM and not deploying it now.

    • #40816 Reply

      ch100
      AskWoody MVP

      This is an update rollup including previous time zone updates. Is it urgent for most people? As Woody says, mañana por mañana 🙂
      I think it should eventually be installed if it is reliable – MS-DEFCON 3 or hopefully higher, just to keep Windows current.

      From Microsoft:

      Who should install this update?
      We recommend that you install time zone updates on all computers, including both desktops and servers, for all users worldwide regardless of where the computers are physically located. The need for time zone information cannot always be anticipated, or its usage may not be obvious to the user.

      While it’s important to keep time correctly on a computer’s local clock, consider also that many users interact regularly with users in other time zones through international phone calls and online meetings.
      Additionally, many Microsoft and third-party applications and services let users select their own time zone. Therefore, the servers that host those applications must have accurate time zone information.

      Many other business scenarios also require accurate time zone information. These include coordinating travel itineraries, calculating hourly wages, and automating lighting and machinery.

    • #40817 Reply

      woody
      Da Boss

      Ah, you got the enyas!

    • #40818 Reply

      Joe Friday

      KB3159398 was inadvertently installed two days ago on Win8.1 home…my standalone laptop.

      My “never check” setting is still there and I haven’t seen anything untoward so far. I’ll let you know if anything changes.

    • #40819 Reply

      Dennis E

      I will add that 3159398 was one of 12 updates waiting for me. I just told WinUpdate to only do the 7 Security Updates not related to .NET or the 52 mB one for IE11. Just those 7 or about 50 mB. I have 100 mbit/sec down/up fiber to the home. Too 3 hours 10 minutes! Then re-booted Win7 PRO and it now said 13 updates and said that 3159398 had to be installed. But wait…Update history said 3159398 had already been installed. I don’t see that anything bad happened tho. Was going to install just only 3159398 then thot to checkk Technet and came across the issue.

      I was hoping to avoid WinUpdate by finding only that file when I decided to stop. So nothing obviously broken that I could see after re-booting. Then thot, “Oh maybe I should try out PowerShell my first time with a script linked to this issue…” but got errors just typing in the first line where it says Import-Module GroupPolicy

      I still don’t know why Windows Update is taking so long tho..
      Dennis in central WA state

    • #40820 Reply

      woody
      Da Boss

      Unless you’re an admin with the specific described problems, I wouldn’t worry about it.

    • #40821 Reply

      DougK

      I’m on day 4 of trying to keep KB3159398 off of my computers. We don’t have WSUS server (have LanDesk for patch mgmt) and I’ve tried blocking patch from manually running WU and hiding as well as using PowerShell module to hide the update. Every morning I come into the office I’m spending 3 hours removing this patch because M$ installs it again. I deploy printers with Group Policy, Update software applications, and set many windows settings all by different security groups. This patch stops them all from running. I’m starting to go insane trying to find a way to stop this patch once and for all.

    • #40822 Reply

      SLO Brooks

      My Windows 7 Ultimate 64 bit computer has been set up to NOT automatically install updates. I checked for updates which required several hours of waiting.

      I installed 4 updates for Office 2010, and then made certain that all other updates were deselected. When I shut down the computer, I was shocked to find that it was installing 14 updates. They are:

      KB890830
      KB3162835
      KB3161561
      KB2952664
      KB3164033
      KB915597
      KB3161958
      KB3161664
      KB3161949
      KB3159398 – uninstalled on fist boot
      KB3164035
      KB3123862
      KB3139923
      KB3160005

      GWX Control Panel looks to be unchanged.

    • #40823 Reply

      SK

      Anyone note any GPO issues associated with removing this update? This one sneaked in with a batch of other updates on our AD Server, thinking about clearing it out and blocking it via WSUS.

    • #40824 Reply

      Ann

      First want to say hey to everyone . I’ve read over comments about Windows here . I’m totally against Windows 10 .I use Windows 7 x64 bit . Use it on multiple systems . I prefer this OS because I’m a gamer .

      I use the GWX tool and it’s settings are set to keep Win 10 from installing and the get Win 10 icon is gone off task bar right corner .

      However , the 22nd of June 2016, I noticed I had updates to install. I started checking to make sure they were legit updates strictly for Windows 7 .

      I noticed the dreaded KB3159398(this update installs Windows 10 ) was back in the recommended update list even though I had it as one to be hidden.

      The GWX tool also was set to keep any Windows 10 update from installing or showing up in update list. Yet somehow it’s found away around the GWX tool .

      As I went through the other updates listed , a total of 15 Windows recommended , I noticed in some way they weren’t really for Windows 7 like Microsoft said they were .

      In some way they all were for Windows 10 just disguised to look like they were for Windows 7 . I have a test computer I set up to test on ever since Windows 10 started to be pushed on us .

      Those 15 updates have destroyed that test computer . Windows 7 x64 is on the test computer . After I installed the updates I restarted like it was recommended to . As soon as I was back up on desktop everything was flashing on and off randomly. Do it for a few and stop .

      I uninstalled all the updates I installed and it said successful. Restarted computer again and where as computer was flashing as it had been with the installed updates it was still doing it everytime I clicked on a program to open it .

      I looked in installed updates again and found KB3161561 HAD NOT UNINSTALLED . I tried uninstalling it and Windows will NOT uninstall it . The other updates were not listed as installed thankfully in the uninstall update list .

      I feel 100% certain the updated that didn’t uninstall(KB3161561) is the culprit for test computer to flash in the behavior it is now .

      Havoc caused by updates from Microsoft :

      https://onedrive.live.com/view.aspx?resid=C756C44362CD94AD!2257

    • #40825 Reply

      poohsticks

      When I checked for the June updates today, kb3159398 also came on my machine as important and checked, even though I don’t have group policy (I have Win 7 Home Premium).

      I guess I will leave it uninstalled this month and see if there’s any more about it later. (Susan Bradley’s patch spreadsheet today still indicates that it’s been causing some problems to the people who do have group policy).

    • #40826 Reply

      Ed

      From your comment above Ann…

      “The GWX tool also was set to keep any Windows 10 update from installing or showing up in update list. Yet somehow it’s found away around the GWX tool.”

      I may be wrong and most likely somebody here will correct me if I am… but I don’t think the GWX Control Panel stops any updates from APPEARING in the list of available updates.

    • #40827 Reply

      woody
      Da Boss

      That’s correct. GWX Control Panel prevents the icon from appearing in the system tray, blocks Win10 from installing, and it removes any vestiges of the GWX subsystem.

    • #40828 Reply

      Hans

      Had same problem, removed from DC had no affect, removed from client side, GPO now applies.

    • #40829 Reply

      woody
      Da Boss

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Security update for Group Policy, KB 3159398, breaks Group Policy

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.