With June Patch Tuesday, users need a fix for the fix

Patch Tuesday usually relieves sys admins' headaches but the June edition handed out a few, as a patch designed to improve security for Group Policy actually took it away.

It looks like Patch Tuesday has become Patch Wednesday and Thursday.

Microsoft released its usual batch of patches this week, but one in particular involving Group Policy caused more problems than it fixed. The security bulletin MS16-072 -- categorized as an "important" -- is designed to change the security context for how group policies are retrieved, according to the company. The fix was supposed to eliminate man-in-the-middle (MiTM) attacks to traffic between a domain controller and the target machine.

Instead, many users reported that the patch broke GPO settings such as drive mapping and shortcuts to applications disappeared from user desktops. Administrators reported some users suddenly had access to sensitive information that was supposed to be shielded from them.

One immediate fix was to remove the patch and restart affected machines. Microsoft added further instructions to the MS16-072 bulletin for administrators experiencing problems, which stemmed from certain read permissions requiring a modification.

Apparently, many administrators with a large number of GPOs were caught off guard by this change. To help ease the pain, Microsoft provided a PowerShell script to check GPOs that needed the read-permission adjustment.

While users reported uninstalling the MS16-072 update from PCs and servers remedied the problem, it comes at the expense of leaving those systems open to the MiTM vulnerability. Admins can also use Windows Server Update Services (WSUS) to prevent the patch from being deployed.

The wayward patch could impact Azure users managing their own VMs in Azure but not those using the higher-level Azure compute services such as Web Apps. It certainly would not impact the vast majority of Azure services -- Storage, Service Bus/Events Hub, SQL database, Document DB, and Redis cache, -- because Microsoft manages their operation directly, one user said.

"I haven't heard any blowback at all from this in my Azure circles," said Bill Wilder, CTO at the Boston-based Finomial Corporation.

Users employing these VM features could have problems, although cloud VMs are not usually used that way, Wilder noted.

"Group Policy is mostly about managing user permissions at scale, but that's not the common scenario for cloud VMs that could be impacted by this issue," Wilder said. "Most such VMs are part of server-side applications where they are less likely to be configured to rely on GP."

Many sys admins could have avoided early problems by rolling out the patch to a small group of machines to check for problems before deploying them extensively. Microsoft has released patches that have caused problems and been forced to reissue them.

One of the most notable recent incidents was for the patch associated with security bulletin MS15-115 which was part of the November 2015 Patch Tuesday release. The initial patch for this bulletin would cause crashes and screen flickering on machines running Outlook and other applications on some Windows systems.

Dig Deeper on Windows systems and network management