back to article Admins in outcry as Microsoft fix borks Group Policy

Microsoft's most recent security update is causing problems with Windows Group Policy settings. Users on Reddit and Microsoft support forums are reporting that after the MS16-072 update was installed, changes were made in Group Policy object (GPO) settings that left previously hidden drives and devices accessible. "I …

  1. Anonymous Coward
    Anonymous Coward

    Oops, just a group policy mishap

    Expect Win 10 to be "mistakenly" rolled out to everyone, everywhere shorty using the same process.

    It's all be "accidental" of course.

    1. joed

      Re: Oops, just a group policy mishap

      considering that MS blessed Windows 10 block is deployed via group policies this may be a collateral gain

    2. Anonymous Coward
      Anonymous Coward

      Re: And thus Win 10 "mistakenly"

      No kidding. I have a friend with a Win 8.1 notebook, he accidentally clicked one of those 'Upgrade to Windows 10 now!!!' popups, and hey presto, his machine became a Win 10 machine and half of his programs no longer work properly, in addition to driver incompatibility woes.

      He asked me how to roll back to Win 8.1. I said, good luck mate, and consoled him on this inadvertent forced marriage and try to enjoy his 'new wife' as much as he could. Of course, I told him to turn off the telemetry and cloud crap, and to not use a Microsoft account, and to not let Miss Cortana 'learn about him'. And install Classic Shell.

      Enjoy your new wife, mate! Beware of the strange 'friends' (patches) she brings home from time to time, and try to enjoy their companionship too...

      1. DryBones

        Re: And thus Win 10 "mistakenly"

        Taking the piss isn't nice in that situation. 10 saves the old OS for a month, he just needs to go roll it back.

      2. Adam JC

        Re: And thus Win 10 "mistakenly"

        Yikes. For future reference, it's a 10-15 minute job and about 5 clicks to revert to the previous O/S.

        Type 'Recovery' into the Cortana/Search bar, and then 'Revert back to Windows X' - Shortly followed by running something like GWX Control Panel to stop it reoccurring :-)

  2. chivo243 Silver badge

    Thanks for the heads up

    Glad I always wait. I will roll the dice next week sometime.

    1. Novex

      Re: Thanks for the heads up

      Yep. Standard process for me now is to wait at least three days, preferably a week, to see if any issues surface before I do the update (on the Windows 7 partition - otherwise I use Linux Mint most of the time).

      1. Anonymous Coward
        Anonymous Coward

        Re: Thanks for the heads up

        Best to use something like WSUS and don't let Windows 10 update your other machines. As we say in the patching business, the road to hell is paved with good intentions, but nothing beats a good centrally administered roll-out process.

        Happily, I always wait at least a week before approving new updates.

        1. Peter2 Silver badge

          Re: Thanks for the heads up

          If your running a business updates, don't you use WSUS and have a smallish "canary" group of users who won't cripple the business if they encounter problems?

          My sacrificial canary group has snuffed it a couple of times over the years which has caused me not to roll out to everybody, preventing serious problems.

          1. Anonymous Coward
            Anonymous Coward

            Re: Thanks for the heads up

            @Peter2

            I wish we could have a canary group. We have a senior management diktat that critical security updates must be rolled out organisation wide as soon as they are released.

            Yes, on more than one occasion this has totally taken down the medical record system for an NHS Trust that covers a population 1.5 million people and runs a load of secure inpatient psychiatric units and the health care wings of a few prisons.

            No, we can't change it. No, we can't roll back when it happens, we are instructed to just put a ticket in with the vendor (normally Microsoft) and then sit there with our thumbs up our asses waiting for them to tell us what to do.

            1. herman

              Re: Thanks for the heads up

              Well, make your IT Manglement your canary group.

    2. Anonymous Coward
      Anonymous Coward

      Re: Thanks for the heads up

      I'll roll the dice when I actually need to use the Windows laptop. With the shootout around Windows 10 trying (and failing) to upgrade it, I'm leaving it off all the time. I still miss Outlook but for the rest? Meh! Avoiding this crap is a side benefit.

      1. Vector

        Re: Thanks for the heads up

        I've just changed my policy to only install critical security updates from MS. If it says "critical" but doesn't say "security," it doesn't get installed. So far, that's saved me from the escalating Win 10 push.

        I'm sure at some point MS will decide that the Win 10 upgrade is a security issue and I'll be borked.

        (note that I'm only talking about my personal laptop. I'd be checking a bit further for business systems)

        1. Anonymous Coward
          Black Helicopters

          Re: Thanks for the heads up

          Only 3 days? Brave (or foolish); I used to delay for nearly the whole month, but due to the increasingly desperate attempts to get Malware10 onto the family PCs, I have disabled Updates entirely.

          No biggie really, because IF you try to download WITHOUT the MW10 files, it sulks and refuses to do anything, for hours, or even days.

          I do suspect all the PATCH M$hit NOW screaming is B.S. sometimes; I have been running an old XP box without ANY issues, even when connecting in Hotels in dodgy parts of the world.

          Competition Time!!!

          Who can guess how long it will be before the "Remain" party claims that leaving the EU will cause cancer??

    3. Anonymous Coward
      Anonymous Coward

      Re: Thanks for the heads up

      Yep, by next week MS will have a patch to the patch that will revert back to the original file and all will be back to normal. Well as normal as MS can be. :/

  3. a_yank_lurker

    Testing?

    Was this patch even tested? These problems sound like something that would show up with a competent (I forget it's Slurp) testing protocol.

    1. Ken Hagan Gold badge

      Re: Testing?

      It's probably safe to assume that it was tested and didn't show up because of some obscure difference between these customers and the MS test setup.

      Testing is hard.

      1. David 132 Silver badge

        Re: Testing?

        Microsoft test their patches against a fully-patched reference system - one where every previous patch has been diligently applied. My understanding is that they don't test against partially-patched systems, e.g. where the admin has applied patches V,W,X and Z but not Y. Their argument is that the latter introduces too many unknowns. The counter-argument is that the very reason that few admins apply 100% of patches... is issues like this one.

        Their intent is, I'm sure, to only support fully-patched systems - hence the move to mandatory patching in Windows 10.

        1. Ken Hagan Gold badge

          Re: Testing?

          "Their argument is that the latter introduces too many unknowns."

          Is it? Surely the killer argument is the combinatorial explosion. Win7 had hundreds of patches over its lifetime (perhaps over a thousand, I don't know). Factorial 1000 is a *very* big number, implying a prohibitively extensive/expensive testing program.

          As the other guy said, eventually you have to start relying on structure within your software to isolate things that *shouldn't* depend on one another, so that you can cut corners in your test cases.

          1. Anonymous Coward
            Anonymous Coward

            Re: Testing?

            Was tested, patch behaves as expected, rtfm.

        2. Ken Moorhouse Silver badge

          Rollback

          One of the criticisms one can safely level at MS over the years is their inability to provide proper rollback support into their installation methodologies. Even now it is possible that some patch or software gets installed, something goes wrong with it halfway through the install, then you have the situation where:-

          (1) trying to install it again gives the message that it is already installed.

          (2) trying to uninstall it gives you the message that it cannot be uninstalled, as it is not installed.

          This inability extends to other programs/utilities by third-parties that are installed/uninstalled using the officially laid down methods of doing such things.

          This is a good reason in itself not to allow MS to update anything on your systems without some kind of contingency plan in place.

      2. a_yank_lurker

        Re: Testing?

        Testing is hard but when a patch borks enough systems to make headlines one should wonder if they even bothered to test it. Also, this is not the first time a patch caused major problems for a lot of users.

        1. Destroy All Monsters Silver badge
          Windows

          Re: Testing?

          Or, you know, there could be some analyzable logic behind the system instead of hacked code looking like a quilt from the thrift shop? Just an idea. It would make sense I guess.

          I really want a Plinkett icon...

    2. Hans 1
      Windows

      Re: Testing?

      >testing protocol

      Don't try to be smart ass, these are Window Cleaner and Surface Specialists you are talking to and they've never of "testing" nor of protocols, ... poor sods, I do feel for you lot!

    3. Vector

      Re: Testing?

      "Was this patch even tested?"

      Yes.

      In the field.

      By the users.

      It failed.

      1. Zakhar

        Re: Testing?

        Indeed.

        We had TDD (Test Driven Development)

        Now M$ invented a better method: UTDD (User Test Driven Development).

        They save a lot of money NOT paying tester with that, which proves it's a good method!

  4. Anonymous Coward
    Anonymous Coward

    Thanks for that subhead

    After Patch Tuesday comes Facepalm Wednesday

    Beautiful :)

    1. Yugguy

      Re: Thanks for that subhead

      I know - I want Facepalm Wednesday to be a real thing.

  5. Howard Hanek
    Happy

    Simpler Times

    ....when patch Tuesdays led to quilting Wednesdays and something good to show for it......

  6. energystar
    IT Angle

    Just to remember MS

    That [Sub]Group Policy should be a [Properly Logged] Configuration File.

    You can put that in the Registry, if You wish.

    1. david 12 Silver badge

      Re: Just to remember MS

      Perhaps you fail to understand the nature of the reported "feature".

      It changed an authentication method.

      That's a fail regardless of if you apply the new feature from a file or by some other method.

      It can be rolled back.

      This isn't a "feature" that failed because it was not "properly logged", or failed because it was not implemented through the windows installation service. It's a fail because it was a poorly thought out and poorly communicated change.

  7. Pascal Monett Silver badge

    "Microsoft's most recent security update"

    Microsoft does not make Security Updates anymore.

    It makes GWX updates, and it makes irrelevant little things.

    One of the irrelevant little things made a boo-boo this time.

    SatNad does not care.

  8. Anonymous Coward
    Anonymous Coward

    Auto updates.. such a wonderful thing!

    Said no one ever.

  9. Anonymous Coward
    Trollface

    Didn't bother me at all ;)

    Ok, I'll admit up front: this is a little bit of a troll post but still meant somewhat seriously. You can check my past posts for that ;)

    Ever since Microsoft has EOL'd 2k3 server and chopped TechNet my company decided that there wasn't enough budget to warrant an extra license merely for testing. It simply went outside of the budget (can't blame 'm). We moved to FreeBSD with Samba, Apache, PostgreSQL and Mono (mod-mono) and never looked back. In all honesty: this isn't enterprise sized we're talking about, but still big enough.

    As said, we never looked back. The only patching we're doing is using portsnap :)

    1. John 104

      Re: Didn't bother me at all ;)

      @ShellLuser

      You knob! ;) Microsoft's policy is that if it isn't a revenue producing system, you don't have to pay for a license. You can test to your hearts content and not have to worry about being out of compliance.

      1. Danny 14

        Re: Didn't bother me at all ;)

        That is fine for you but for us we are fairly stuck with MS. We are a college and teach certain courses. We need Sibelius music software so that's Linux out straight away, we also teach photoshop so again no Linux. We also teach autocad, again no Linux there. Sure we could change MS office to openoffice et al but that's about it. So MS we have to stay with.

        GPOs are the lifeblood of any MS server environment and I assume most GPO environments are going to have some kind of drive mapping, drive hiding (and blocking) GPO so a massive change like this is bad, very bad.

        1. Ken Moorhouse Silver badge

          Re: Sibelius

          The first time I came across Sibelius software was in an exclusively Mac environment (in an educational environment btw). Photoshop is also available as a Mac program. On a Mac you can use MS Office if you really wanted to, or use Openoffice. Autodesk, again is dual-platform.

          I have to say, even as an IT consultant with a leaning towards the pc platform, it looks as if Mac might suit your needs better.

  10. Mr Humbug

    >El Reg has asked Microsoft for comment on the matter

    >but has yet to hear back from Redmond at the time of publication.

    Erm... isn't the whole thing explained under the 'Known Issues' section in the KB article about the patch?

    https://support.microsoft.com/en-gb/kb/3163622

    Just maker sure that Authenticated Users has Read permission on the GPO (which it does by default)

    1. Anonymous Coward
      Anonymous Coward

      Indeed, appears to be by design. Some RTFM necessary?

    2. phuzz Silver badge
      Stop

      Shhhh, this comment thread is for bashing Microsoft, not pointing out that the problem and the solution were both documented in the notes for anyone to read.

      1. Anonymous Coward
        Anonymous Coward

        :D Sorry, silly me! Can I have a Harumph?

        1. Alan W. Rateliff, II

          "Hey, I didn't get a 'harumph' outta that guy!"

          "Give the governor a 'harumph'!"

          "Harumph! Harumph!"

          "You'd better watch your ass..."

          Gave me a good laugh so I had to share.

      2. Will 20

        This is true - however it's a significant change into the behaviour of group policy, and given how often Microsoft push out patches, there might have been a better way to manage the change in behaviour.

    3. This post has been deleted by its author

      1. david 12 Silver badge

        Re: Not entirely

        No, I do not know that >"Read" a policy means APPLY the policy<.

        I assume that you think that you mean that "filtering" is the same as "read permission". It is not. There are several ways to alter permissions independent of filtering, and filtering independent of permissions.

    4. Gis Bun

      Oh. People don't read - they prefer to complain.

      That said, the "fix" wasn't on the web site immediately.

  11. PeterM42
    FAIL

    Just some more.....

    ....untested crap from MicroCRAP.

  12. blokedownthepub

    2 hours wasted

    I think I've just been caught by this, but my symptoms were different.

    A GPO that only added mapped drives just stopped applying. It was listed in Group Policy Modelling, but no mention of it (applying or failing) in Group Policy Results.

    Solution was to delete and recreate a similar GPO.

    Two hours of this morning wasted troubleshooting why mapped drives had disappeared overnight.

    1. blokedownthepub

      Re: 2 hours wasted

      just seen Mr Humbug's post (upvoted) - that explains it, user security filtering.

  13. Paul Woodhouse

    ahhhhhhh.......

    was wondering why I had lusers have printers vanishing. had guessed it was an MS update, didn't think to check they were printers applied with GPO's though...

  14. Anonymous Coward
    Anonymous Coward

    Even though it's documented,

    Part of this is still Microsoft's fault for no longer providing advanced notification of what is going to be included in a patch Tuesday release. That would be the perfect place to highlight a change in GP behavior so once Tuesday came around and the details were released, admins would have some clue to pay special attention to (and actually read) the KB for that patch. Assuming you can get to the KB. As it is now, many of the KB articles for the patches are not even available until late Tuesday, sometimes Wednesday. Is it really that hard to get the articles posted when the patches are released?

    1. John 104

      Re: Even though it's documented,

      @AC

      This is the new Microsoft. Just trust them and don't worry about those pesky technical details.

      The new Microsoft treats all customers as desktop users. They know what is best for us. Trust them.

  15. 101
    Meh

    Off into the next phase, just a little early....

    With mandatory updates and mandatory "upgrade" it was clear to me updates could and would be an ideal corporate-state attack vector to enhance data collection and surveillance. Now that the upgrade deadline is near, clearly it's time to become MORE aggressive.

    Any update that borks legitimate group polices is malware, at least.

    I love big brother and hope he loves me way big.

    XXXXXX!!!!

  16. earl grey
    Paris Hilton

    yes, but

    Did you get your kiss afterward?

    Paris, well, because....

  17. darlingimp

    No problems encountered here ...

    WSUS server has been disabled since this whole WIN10 crap began. Will resume when trusted again.

    1. Trixr

      Re: No problems encountered here ...

      If you don't know how to configure your environment so that you have no concerns about forced OS updates - I agree this should be unnecessary - better that you leave it off.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like