Friday, June 17, 2016

Windows 10 patch MS16-072 / 3163622 / 3163018 can break Smart Office

Microsoft released patch MS16-072 / 3163622 / 3163018 for Windows 10 this week and it's causing communications issues between some Smart Office clients and servers:

Looking at the server installation point - https is inaccessible from Internet Explorer and Edge, while it works fine from Chrome:


The Microsoft fix is impacting other areas of infrastructure as well.  The immediate workaround is to uninstall KB 3163622 / 3163018 from affected PCs until either Microsoft resolves the issue or Infor provides an official mitigation.  It also appears that there may be group policy changes that can be made to address this, but I haven't tested these yet:

"MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers' computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user's security context. After MS16-072 is installed, user group policies are retrieved by using the machines security context. This issue is applicable for the following KB articles:
3159398 MS16-072: Description of the security update for Group Policy: June 14, 2016
3163017 Cumulative update for Windows 10: June 14, 2016
3163018 Cumulative update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: June 14, 2016
3163016 Cumulative Update for Windows Server 2016 Technical Preview 5: June 14 2016
Symptoms
All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.
Cause
This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.
Resolution
To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:
Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
If you are using security filtering, add the Domain Computers group with read permission."