Microsoft acknowledges permission problems with MS16-072 patches KB 3159398, 3163017, 3163018, 3163016

Topic

New Reply

It took 36 hours, but they came clean. InfoWorld Woody on Windows Rod Trent notes on WindowsITPro that there’s a PowerShell script that will go out an
[See the full post at: Microsoft acknowledges permission problems with MS16-072 patches KB 3159398, 3163017, 3163018, 3163016]

Reply | Quote

Replies

Isn’t the resolution proposed what I said here that it has always been the recommended configuration?

https://www.askwoody.com/2016/security-update-for-group-policy-kb-3159398-breaks-group-policy/#comment-88332

Reply | Quote

Yep. The remarkable points are that (1) Microsoft has actually acknowledged the problem and (2) repeated your workaround.

Reply | Quote

Woody,

Is there any information on whether they will be releasing updated patches, or whether Microsoft just expects us to install these patches, and deal with the results in a “grin-and-bear-it-use-the-workaround” fashion?

Reply | Quote

I haven’t heard, but I hope they have the decency to fix their problem. And test things better next time. This is ridiculous.

Reply | Quote

When people try to do too many things at once, the usual result is that they don’t do anything well. That seems to be the case with Microsoft in its desperate attempt to salvage itself.

All operating systems have some glitches at first, then things smooth out for the long run. But this chaos has been going on with MS every time they issue updates month after month. And its not only for its new operating system, but for its older ones that have been relatively stable over the years. The quality control has gone to heqq as the quantity of their “projects” has increased asymptotically.

This is one of the reasons (along with privacy issues some of us older people can’t deal with) I have been hesitant to move to Win10 with its forced bundled updates.

Reply | Quote

I’ll quote one of my old posts:

Microsoft rapid fires OSes at us because XP was around too long resulting in bad Vista, 7 was good because:

microsoft: “We rushed a brand new OS in only 3 years!”
reality: “You fixed vista in SP1, and then you spent 3 whole years making Vista 2.0(Windows 7) on that progress, and lost the bad rep of the name vista”

microsoft: “Windows 8 will be great because we waited 3 years, we remember last time, we don’t have to try at all, we are golden”
reality: “8 was bad because you changed everything and told people. ‘no you do not hate it you love it! remember?'”

microsoft: “NEW OS, NOT WINDOWS 8! marketing data! (maniacal laughter) We brought back / mangled the start menu! (maniacal laughter) BING! (tracking sounds)”
reality: “Ugh… +(frustrated grinding sound almost like teeth)”

microsoft: “We have too many different operating systems to support! How could this have happened??!”
reality: “duh!”

Reply | Quote

The KB article explains clearly what is the issue and that the Group Policies for those administrators who experience problems were not set according to the best practices in the first place.
The issue is that the security context for User Group Policy has changed from user (which can be an unpriviledged/non-admin account) to computer to enhance the security overall. A computer is a user in Active Directory, i.e has its own user account and a randomly generated password which by default changes every 30 days. Being a user, the computer account, commonly seen in the permissions as followed by the dollar $ sign, is a member of Authenticated Users which needs to be able to at least read the policy, not necessary to apply it, as this will still happen in the user context as normal.
It is not a faulty patch, it is enforcing security as I believe it was always meant to be. So in that sense it resolves an issue which was never addressed until now.
The recommendation was always that Authenticated Users should have Read access at minimum, but this can be worked around by adding the exact computer accounts and Domain Controllers instead which makes the configuration complex, required sometimes for compliance reasons.
I don’t think Microsoft has any reason to reissue the patch as it is not a faulty patch, unless it is for PR reasons. Technically Microsoft is not at fault.
The only thing that Microsoft could and should have done better was to post the information in the original revision of the article BEFORE administrators installing the update and experiencing problems.

Reply | Quote

@PKCano
“When people try to do too many things at once, the usual result is that they don’t do anything well. That seems to be the case with Microsoft in its desperate attempt to salvage itself.

All operating systems have some glitches at first, then things smooth out for the long run. But this chaos has been going on with MS every time they issue updates month after month.”

Absolutely correct. Unfortunately it is the nature of the industry with fast pace changes which makes things as they are. Sometimes I am asking myself how the hardware manufacturers can keep up with the changes in the industry, offering in most cases reliable enough products.
Or how Woody is able to write a 1000 pages book every year, while at the same time writing for InfoWorld and maintaining this site so effectively

Reply | Quote

@NotReallyBob(fromanothercomputer)
In reality Windows 7 was Vista SP3 like windows 10 is Windows 8 SP4 or Windows 8.2 or whatever. Behind the scenes it is all Windows 6.* which started with Vista.

Reply | Quote

Ridiculous? I’ve been saying that since December; they haven’t had a month go by without breaking things starting at least then.

I wish I could run into Satya Nadella and ask him two things:

1. Imagine people had plenty of choices between Microsoft and other vendors for an operating system and an Office app. What do you believe would make them choose you over others? And more importantly, what would be the reason you’d *want* them to choose you, not the reason you believe they would?

2. If I offered you the best meal in the world, money-no-option at the end of two months, could you make those two consecutive months go by without a broken patch for Windows/Office,and without shoving Windows 10 down the throats of those who have already declined it? Note: You can’t issue no patches and get around it that way.

Reply | Quote

If it isn’t faulty, then at the end of the patch, Microsoft should add a subroutine that scans for the GPO issue within Active Directory, and resolves it automatically by correcting the necessary permissions. I would call *that* expected behavior.

I shouldn’t have to manually correct something like that; Microsoft has people with much higher IQs than mine working on their dev teams.

Reply | Quote

Hey, I’d invite him over for some great Thai. That makes two best meals in the world….

Reply | Quote

Godonya Woody and CH100….. Well done! You know think perhaps MS are constantly watching and reading all this……… otherwise how could they have been able to come up with your exact fix, CH100?
Or have I missed something in my limited knowledge ?Know I’m certainly not up to your league, but most certainly appreciate knowing that you are around!!
Keep it up guys (ooops I believe that word is not politically correct in some parts of the world!)
We all need you! LT

Reply | Quote

LT, it is not my fix. Thanks for your words.
I only posted what was already available from Microsoft and Microsoft did the same confirming not my post, but their position about this configuration.
They were not taking from me, rather the other way around.

Reply | Quote

@Doug If Microsoft would change permissions configured on purpose by administrators in a certain way, even if not optimally, then you watch the backlash. Maybe a notification would be more useful in this sense, inviting people to update the permissions. Their focus is elsewhere though…

Reply | Quote

Maybe we should set the record straight about GPOs and their configuration, although this subject is more suitable for a Technet forum.
Back in 2000 when Windows 2000 Active Directory was released, Microsoft designed the Group Policies with the intention to have them filtered based on Security Groups and here is from where the name comes. Because most System Administrators preferred a different configuration which was to assign Group Policies based on Organizational Units with the default security configuration, which means Authenticated Users Read & Apply, Microsoft changed their advice since then in that sense which was less complex and less error-prone. The name remained though.
Some configurations do not work with only assigning GPOs based on OUs and there is a need for Group Security filtering, which means changing the default security from Authenticated Users Read & Apply to a different custom security group.
Here is the problem. Because of misunderstanding the “fine print”, Authenticated Users gets removed entirely by administrative action which removes the access to the policy from the computers requiring it. The computers are members of Authenticated Users but not members of the other group configured by administrators.
The correct approach is to remove Apply from Authenticated Users and leave Read access, while configuring Apply for the custom group. Alternatively, the administrator can identify the exact computers and include them in the custom group, but this is likely to generate errors and is labor intensive.
In addition, sometimes Domain Admins or other admin groups need to be configured with Deny Apply access, to avoid being locked out of the configuration.

Microsoft worked around this limitation some time ago and included the Enterprise Domain Controllers in the ACLs for Group Policies, which in general is enough, but with the new security update for Group Policies, only giving access to the Domain Controllers appears not to be enough.

End of story, if there are no extreme restrictions related to compliance in the environment, Authenticated Users should NEVER have Read access removed from any Group Policy Object.

In case of doubt or political interference from management, maybe a Microsoft Support Call and a PFE opinion would resolve the issue to everyone’s satisfaction.

Reply | Quote

Well done. You should write books….

Reply | Quote

Oh! I see….. but kudos still go to you for
nutting it out and wording it aloud so others could understand and go from there (@ Woody’s)…… which should have come from MS in the first place!!! I still say well done to both you and Woody!!! LT

Reply | Quote

Definitely remarkable. It sure would have been nice to know this up-front when the SB was released, instead of people finding out after-the-fact.

Microsoft claims this is a by-design behavior in the “known issues” section of the revised general announcement at https://technet.microsoft.com/en-us/library/security/ms16-jun but if this was by-design, why not disclose it before people started installing it and caused problems in their environment?

Not a good way to do business, but lately that’s been par-for-the-course with updates. Shame.

Reply | Quote

True in all respects. I’m sure it was “by design” but that doesn’t let Microsoft off the hook for notifying admins about the behavior. In advance.

Reply | Quote

That is very well said, but I have a caveat to add:

When you use the “Security Filtering” section of GPMC’s “Scope” tab on a GPO to remove “Authenticated Users” and add a group to filter the GPO, doing so explicitly removes the Read permissions for AU from the GPO. This is evident when you look at the “Delegation” tab on the same object: In the “Allowed Permissions” column, whatever group (including AU) that is subject to the filter will show “Read (from Security Filtering)” in the list of permissions.

As a result, whether or not this was all by design and has now been corrected by the application of this update, many filtered GPOs have improper permissions assigned and, until now, this was not entirely well-documented by Microsoft (and it still isn’t, from what I’ve seen). Now people are scrambling to manually correct something that has been perpetuated by Microsoft’s own toolset.

I would propose that Microsoft should update the function of GPMC so that when a GPO is filtered, the administrator is warned that AU still needs explicit “Read” permissions granted to it or, better yet, GPMC ensures that permission is retained on the GPO unless the administrator wants it removed (and now, why would anyone want that at all?). Any chance someone at Microsoft is listening?

Reply | Quote

@ch100 – Perhaps some notification like the Sharepoint one that reminds you to run PSConfig, and includes an option letting you scan and fix what may be needed. Either way, there shouldn’t be a hidden “gotcha”, and Microsoft could totally leverage their patch announcements to note these things –I’m subscribed to their monthly announcements.

“Focus”. That’s an interesting word to note, because my wish over the past several years was that Microsoft would focus on listening more. Listen to IT people some, and you get evangelists. People only too happy to make sure people who trust them run your software, at home, in the enterprise; those recommendations go a long way. I also have no problem with them attempting to become “agile developers”, but when you let go a huge portion of your QA staff, that shows you’re expecting your company to (to use an arcane Biblical reference) “make bricks without straw”. Agility *requires* good QA.

Reply | Quote

This is likely a silly question, but I thought I should still ask for the sake of clarification…

The situation created by installing KB3159398 has no bearing on policies that are configured directly on the local machine using gpedit– correct? My PCs are not on a domain, and they aren’t even really networked together (apart from sharing the same internet access from the router).

As far as gpedit is concerned, I’ve only made the change to disable the OS upgrade through WinUpdate on my Win7 PC. But Win10 is another story entirely, as I’ve used it on that machine to wrangle control of the PC back from MS.

Apart from the usual caveats about accepting the latest updates, I shouldn’t have to worry about breaking any changes made via gpedit on those machines since I’m not attached to a domain– correct?

Reply | Quote

@PkCano,

I don’t know if it’s the quantity of their projects. However, that plan to let go 15,000 staff included a let go of a lot of QA folks; developers as I understand it are now required to QA their own code in a number of cases.
Here’s the problem with that scenario:
Dev doing QA: I looked at my code. I tested to ensure that when I perform function A, that it performs output B like desired.
QA doing QA: I looked at a description of what function A is supposed to do. I tested to ensure that what the user expects happens and then I also tried performing functions C, D, and E to ensure output B either happens, or provides clear output to the user on why things didn’t work, and that nothing broke. I also checked to ensure function A makes sense to the user so they aren’t going to try to do C, D, and E unless they’re fairly clueless.
I’m not a coder, so my language here isn’t precise (I’m a hardware guy with some CLI and scripting capabilities). But I can still see why a QA person and a dev are not the same things, and if you ask one person to do two jobs, you’ll probably experience a lot of pain, frustration and stress.

Reply | Quote

Bravo. This is an amazing description. My metaphorical hat is off to you.

Reply | Quote

Correct.

Reply | Quote

I sure hope so.

Reply | Quote

Hmm… Maybe adding Read permissions for Authenticated Users isn’t the best thing to do:

Lifted directly from the KB3163622 article, “Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer’s security context.”

“To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:
•Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
•If you are using security filtering, add the Domain Computers group with read permission.”

Authenticated Users should already have Read permissions if Security Filtering is not employed, so that shouldn’t be an issue for most GPOs. However, for filtered GPOs, the Domain Computers should be used. I wonder how many people will just use the easy button (Authenticated Users) instead of the right way (Domain Computers).

Reply | Quote

“The only thing that Microsoft could and should have done better was to post the information in the original revision of the article BEFORE administrators installing the update and experiencing problems.”

The only thing? Perhaps. BEFORE? Most definitely! This is another example of Microsoft’s customer service at its infernal worst.

Reply | Quote

Thank you, sir!

Reply | Quote

The under the hood changes to windows 10 (ignoring the GUI) are hardly worth a whole new OS. The under the hood changes 7 vs 8.x (again, ignoring the GUI) are huge.

My point is they are different dev branches and microsoft has trouble with how many there are and yet is the cause of the problem.

Reply | Quote

Marketing doesn’t care about that, just add these 30 flashy contradictory features and have it done by next week.

When marketing is in charge it is just as bad as auditing your own code. (microsoft is doing both)

Reply | Quote

Exactly. GPMC ought to do the right thing. Why bother have a security filtering option if using it often (usually?) requires you then go to the delegation tab and do manual advanced cleanup. If GPO requires Authenticated Users have read access, then removing read access should be the advanced operation, at which point it’d be fine to go to the advanced tab to make that advanced customization. Or get rid of the security filtering screen altogether and use the delegation tab always.

Reply | Quote

@toliver2112
You can see the full extent of the permissions only on the Advanced tab. Even there, if you reset the permissions to the schema default, you will see “Special” instead of Read & Apply for Authenticated Users. Read & Apply is documented in few KBs and is enough. I assume it is a GUI bug, as I tried to use command-line tools for AD ACLs to understand what is missing and there was nothing missing there.
The reason for the whole confusion which you mentioned is that GPMC shows something different under Delegation when compared with the Advanced tab. I don’t know if it is documented anywhere, but it is all over the place, on Technet, forums, own experience like a lot of things IT.

Reply | Quote

Absolutely, this applies only to Active Directory Group Policies and not to Local Policies.

Reply | Quote

@toliver2112
I explained in detail that Authenticated Users covers Domain Computers and if an admin wants to be even more strict than using Domain Computers, then the specific computer(s) can be used instead.
For ease of administration it is highly recommended to keep using Authenticated Users though. There is no security relaxation involved, or at least not a significant one.
Only environments which have high compliance requirements and likely the resources to afford it, should go into the detail of setting individual computers.

Reply | Quote

Hi Woody, I’m having a strange problem with security updates for .Net Framework 4.6. Recent updates KB3136000-v2, KB3142037, and KB3143693 all fail to install and display the following message –

Installation Did Not Succeed

Software update KB31xxxxx has not been installed
because:

A certificate chain could not be built to a trusted root
authority.

I looked up the KB articles but I can’t figure out what they really mean. I have a vague idea that the updates need to be installed while the computer is connected to the Internet even if you use the offline installer? That seems contradictory and two of the machines in our house are never online but still need to be updated. I just wondered if anybody else has this problem and maybe figured out a solution? Thanks!

Reply | Quote

Installing .NET patches are notoriously difficult.

I found this article about the 3136000 problem:

https://blogs.msdn.microsoft.com/vsnetsetup/2016/03/28/a-certificate-chain-could-not-be-built-to-a-trusted-root-authority-2/

You may be having problems with your firewall. See

https://support.microsoft.com/en-us/kb/3149737

Do either of those help?

Reply | Quote

Susan, do you use a proxy server which could block access to the Microsoft site on the computer (local system) account?
There is an event log named CAPI2 which needs to be enabled and which could provide further information.

Reply | Quote

I’ve been reading Woody on InfoWorld for some time, and just recently found AskWoody during MS’s forced switch of users from Windows 7 to Windows 10. I have my Windows Updates set to “Let me choose to select Update” and now have 20 important updates and 7 optional.

I like AskWoody’s DefCon scale but I was curious if there is somewhere that has each update with a Defcon rating. I’d like to know what I can install and what I shouldn’t. I stopped installing things because right now the Defcon rating is “2”. I know I don’t need the Office 2010 updates because I have Office 2013 – I have just kept Office 2010 on my PC but I don’t use it.

Thanks

Reply | Quote

Susan, I read again your post. I think you don’t have the root up to date which means you need access to the internet to update it. I think these days is more and more complicated to do anything without a continuous internet connection. Highly secure environments spend a lot of resources and time to achieve good functionality without internet access, which I think is not easily achievable for regular users.

Reply | Quote

The MS-DEFCON system is intended to apply to people who don’t want to sweat the details. I give people a blanket go-ahead when the coast seems clear. Recently, it’s gotten considerably more difficult to come up with a simple answer to an increasingly difficult question.

If you want a detailed list of each KB (there are more than a hundred each month nowadays, and sometimes 200), and whether it’s safe to install, I suggest you subscribe to Windows Secrets Newsletter and follow Susan Bradley’s advice.

Susan also maintains a server-oriented list here

https://onedrive.live.com/view.aspx?cid=C756C44362CD94AD&resid=c756c44362cd94ad%212257&qt=sharedby&app=Excel

Which is a key source of info.

Reply | Quote

Thanks Woody and ch100 for your advice. I tried everything that made sense based on the links provided (as well as the links contained within!) and found that the TechNet suggestion to install KB2813430 was academic since that update had been installed two years ago. Another link to install MicRooCerAut2011_2011_03_22.crt apparently worked since I got a dialog that said it was successfully installed. However, I still got the offline install failures for the three .Net updates.

Now for what worked! As surmised, I needed to have my computer online while installing KB3136000-v2. It installed! I didn’t try installing the other two updates while online because our Internet is not fast or cheap. Later, while offline, I decided to try the remaining two updates again and was surprised to find that they installed correctly – while offline!

I don’t know if installing just KB3136000-v2 while online permanently fixed any root cert issues on my computer but it solved my immediate problem. BTW, I should have mentioned I’m running Windows 7.

Reply | Quote