Follow

ProfileUnity no longer works after recent Windows updates on June 14th, 2016

Product: ProfileUnity-FlexApp

Product Version: All

Expires on: 365 days from publish date

Updated: June 28, 2016

 

Problem:

ProfileUnity no longer works after recent Windows updates on June 14th, 2016

 

Symptoms:

ProfileUnity is installed, Userinit value is correct, User and Machine are in correct GPO but ProfileUnity does now show splash screen or applies configuration changes.

RSOP review from gpresults /H show the user configuration portion of the ProfileUnity policy are not applied. 

No ProfileUnity GPO's UNCPath (INI path) found in HKCU registry after user logon. 

 

Possible Resolution(s):

On the June 14th Microsoft security update package regarding update MS16-072 

(https://support.microsoft.com/en-us/kb/3159398)

Microsoft made a change on how security policies are retrieved.  

"MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability.

Before MS16-072 is installed, user group policies were retrieved by using the user’s security context.

After MS16-072 is installed, user group policies are retrieved by using the computer's security context. 

All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.

This would be prevalent where the user policy had specific security groups assigned versus authenticated users.  

This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

 

To resolve this issue:

To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

  • Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
  • If you are using security filtering and not authenticated user (Read), add the Domain Computers group with read permission.

Example:

When GPO is selected on the right side of the screen select "Delegation"

 Add "Domain Computers" with "Read" permission to the object. 

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.