Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


robcreid

228 posts

Master Geek


#197912 17-Jun-2016 13:32
Send private message
Create new topic
jaymz
1096 posts

Uber Geek


  #1578871 23-Jun-2016 10:27
Send private message

It seems there are lots of people saying "uninstall and block this update".  I would strongly recommend that the update is not blocked or removed:

 

I had a read over the Microsoft KB Article (https://support.microsoft.com/en-us/kb/3159398)  and noticed the following important message:

 

  • All future security and non-security updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update 2919355 to be installed. We recommend that you install update 2919355 on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates.

Reading that, it sounds like declining the update is going to cause us all sorts of headaches later on down the track.

 

Microsoft is not going to remove this update, as they want us to fix the GPO’s properly.

 

 As per the article, I suggest we add the authenticated users as read-only.

 

 Known issues

 

MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer's security context. This issue is applicable for the following KB articles:

 

  • 3159398 MS16-072: Description of the security update for Group Policy: June 14, 2016
  • 3163017 Cumulative update for Windows 10: June 14, 2016
  • 3163018 Cumulative update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: June 14, 2016
  • 3163016 Cumulative Update for Windows Server 2016 Technical Preview 5: June 14 2016
Symptoms

 

All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.

 

Cause

 

This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

 

Resolution

 

To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

 

  • Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
  • If you are using security filtering, add the Domain Computers group with read permission.

 

 

I have implemented the following PowerShell script to check all my sites:

 

https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/

 

 


nathan
5686 posts

Uber Geek

Trusted
Microsoft

  #1578951 23-Jun-2016 12:36
Send private message

Is there a question in this thread?

The change has been made to GPO because of security reasons.




populism, the most important and misunderstood movement of our time


 
 
 
 


jaymz
1096 posts

Uber Geek


  #1579014 23-Jun-2016 13:23
Send private message

nathan: Is there a question in this thread?

The change has been made to GPO because of security reasons.

 

Nope, no question. The reason for my detailed response was to try inform people about the correct fix for the issues that can be caused by installing the update.

 

The update is needed for every server, but there is a feeling out there that people are going to disable/decline the update because (in their words) "it breaks stuff so i wont install it".


nathan
5686 posts

Uber Geek

Trusted
Microsoft

  #1579020 23-Jun-2016 13:44
Send private message

I guess it was more of a Q for the OP

I too have seen WSUS admins saying don't install. Without understanding why they're saying that.

Declining updates, especially because of hysteria isn't a particular good idea :)





populism, the most important and misunderstood movement of our time


nzkiwiman
2408 posts

Uber Geek

Subscriber

  #1579103 23-Jun-2016 16:56
Send private message

I am piloting W10 in the company and blocked KB3163018 from installing after finding that I can no longer search (or sort) in vSphere 5.0 (and 5.5) after installing the updating and having to roll back.
vSphere reports that "Logon to the query service failed. The request was aborted. Could not create SSL/TLS secure channel"


nathan
5686 posts

Uber Geek

Trusted
Microsoft

  #1579145 23-Jun-2016 18:12
Send private message

What does VMware say?

KB3163018 Tightens up a bunch of security things with SMB & NetBIOS




populism, the most important and misunderstood movement of our time


robcreid

228 posts

Master Geek


  #1579159 23-Jun-2016 18:31
Send private message

nathan: I guess it was more of a Q for the OP

 

All good here too thanks.

 

I got the Know Issue notification while we were still in update testing phase so I was able to verify the issue and the fix our affected gpos without having to delay release of the patch in our normal patch cycle.

 

 

 

 


 
 
 
 


nzkiwiman
2408 posts

Uber Geek

Subscriber

  #1592889 15-Jul-2016 07:56
Send private message

nzkiwiman:

 

I am piloting W10 in the company and blocked KB3163018 from installing after finding that I can no longer search (or sort) in vSphere 5.0 (and 5.5) after installing the updating and having to roll back.
vSphere reports that "Logon to the query service failed. The request was aborted. Could not create SSL/TLS secure channel"

 

 

This month's W10 cumulative broke my connection to vSphere (as expected)
Thankfully in the month since, there has been a lot of people running into the same problem and I was able to install and test a fix that worked

 

Added a new registry key
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ClientMinKeyBitLength"=dword:00000200

 

 


Create new topic





News »

Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18


Synology unveils DS16211+
Posted 17-Oct-2020 20:12


Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06


Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47


OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52


Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34


Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29


AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13


Teletrac Navman launches integrated multi-camera solution for transport and logistics industry
Posted 8-Oct-2020 10:57


Farmside hits 10,000 RBI customers
Posted 7-Oct-2020 15:32


NordVPN starts deploying colocated servers
Posted 7-Oct-2020 09:00


Google introduces Nest Wifi routers in New Zealand
Posted 7-Oct-2020 05:00


Orcon to bundle Google Nest Wifi router with new accounts
Posted 7-Oct-2020 05:00


Epay and Centrapay partner to create digital gift cards
Posted 2-Oct-2020 17:34


Inseego launches 5G MiFi M2000 mobile hotspot
Posted 2-Oct-2020 14:53









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.