Active Directory, Group Policy, not working after MS16-072 applied
It may appear that group policies do not work after the patch MS16-072 has been applied. This is because the security context has changed in which GPOs are retrieved, possibly causing the GPOs to no longer be accessible by the system. This is by design.
MS16-072 was applied in the following patches:
For Windows 7, 8, 8.1, Server 2008/R2, Server 2012/R2: https://support.microsoft.com/en-us/kb/3159398
For Windows 10 (part of Cumulative Update): https://support.microsoft.com/en-us/kb/3163017
For Windows 10 rev 1511 (part of Cumulative Update): https://support.microsoft.com/en-us/kb/3163018
This patch changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the machines security context.
Note that group policy application is still done using the user or group context, as previously.
It is recommended that you do not uninstall or roll-back this patch. The change in behavior is by design and adjustments can be made in the access controls to restore functionality, as follows:
In Group Policy Management Console, for the GPO in question, on the Delegation Tab, add the access control entry of: "Domain Computers" with "READ" permission (not "READ and Apply Group Policy").