It seems there are lots of people saying "uninstall and block this update".  I would strongly recommend that the update is not blocked or removed:

I had a read over the Microsoft KB Article (https://support.microsoft.com/en-us/kb/3159398)  and noticed the following important message:

• All future security and non-security updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update 2919355 to be installed. We recommend that you install update 2919355 on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates.

Reading that, it sounds like declining the update is going to cause us all sorts of headaches later on down the track.

Microsoft is not going to remove this update, as they want us to fix the GPO’s properly.

 As per the article, I suggest we add the authenticated users as read-only.

 Known issues

MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer's security context. This issue is applicable for the following KB articles:

• 3159398 MS16-072: Description of the security update for Group Policy: June 14, 2016
• 3163017 Cumulative update for Windows 10: June 14, 2016
• 3163018 Cumulative update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: June 14, 2016
• 3163016 Cumulative Update for Windows Server 2016 Technical Preview 5: June 14 2016

All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.

This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

• Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
• If you are using security filtering, add the Domain Computers group with read permission.

I have implemented the following PowerShell script to check all my sites:

https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/

nathan: Is there a question in this thread?

The change has been made to GPO because of security reasons.

Nope, no question. The reason for my detailed response was to try inform people about the correct fix for the issues that can be caused by installing the update.

The update is needed for every server, but there is a feeling out there that people are going to disable/decline the update because (in their words) "it breaks stuff so i wont install it".

I am piloting W10 in the company and blocked KB3163018 from installing after finding that I can no longer search (or sort) in vSphere 5.0 (and 5.5) after installing the updating and having to roll back.
vSphere reports that "Logon to the query service failed. The request was aborted. Could not create SSL/TLS secure channel"

nathan: I guess it was more of a Q for the OP

All good here too thanks.

I got the Know Issue notification while we were still in update testing phase so I was able to verify the issue and the fix our affected gpos without having to delay release of the patch in our normal patch cycle.

nzkiwiman:

 

I am piloting W10 in the company and blocked KB3163018 from installing after finding that I can no longer search (or sort) in vSphere 5.0 (and 5.5) after installing the updating and having to roll back.
vSphere reports that "Logon to the query service failed. The request was aborted. Could not create SSL/TLS secure channel"

 

This month's W10 cumulative broke my connection to vSphere (as expected)
Thankfully in the month since, there has been a lot of people running into the same problem and I was able to install and test a fix that worked

Added a new registry key
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ClientMinKeyBitLength"=dword:00000200