question

HofstetterMartin-3255 avatar image
3 Votes"
HofstetterMartin-3255 asked ·

GPMC error for "Security Options" after Updates 2020-09 in Windows Server 2016 Domain Controllers

We have found that if a Windows Server 2016 DC has been patched with the current Cumulative Update 2020-09 and Servicing Stack Update 2020-09, the "Security Options" in a policy can no longer be opened in the GPMC afterwards. It is not clear which of these two updates really causes this. Windows Server 2019 DCs seem not to be affected.24073-gpmc-error.jpg


windows-server-2016
gpmc-error.jpg (35.9 KiB)
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Same problem for EN-US servers as well.

0 Votes 0 · ·
HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered ·

Hello,

Microsoft had released the new KB4580346 to fix this issue. This release addresses an issue that might prevent you from accessing the Security Options data view in the Group Policy Management Editor (gpedit.msc) or Local Security Policy Editor (secpol.msc). The error is, "MMC has detected an error in a snap-in”.

https://support.microsoft.com/en-us/help/4580346/windows-10-update-kb4580346

Thanks.

Best regards,
Hannah Xiong


· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered ·

Hello,

Thank you so much for posting here.

After finishing installing 2020-09 Cumulative Update for Windows server 2016 Domain Controller, the Security Option MMC also could not be opened in my AD environment. I am doing the research and will come back to you next week.

24115-1.png

24125-2.png

Thank you so much for your time and support.

Best regards,
Hannah Xiong



1.png (30.3 KiB)
2.png (37.9 KiB)
· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GnterBorn-1764 avatar image
1 Vote"
GnterBorn-1764 answered ·

I received also a notification from a German user, that has been facing this issue. I've blogged about that at windows-10-v1607-update-kb4571694-creates-id-5827-events-bricks-mmc

It seems that update KB4577015 is causing this issues. Thx for posting/confirming


· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

solmssen avatar image
0 Votes"
solmssen answered ·

I am being affected by this as well - Windows Server Essentials 2016 VM, just updated to 2020-09 patches, trying to edit group policy settings for Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies - Security Options. I get a dialog that an error has occured in wsecedit.dll.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered ·

Hello,

Thank you so much for your time and support.

Update 2020-09 Cumulative Update (KB4577015) is causing this GPO MMC error. We are so sorry that we are having this problem. We have reported this issue and will come back here for any feedback.

Besides, to avoid being affected, we could choose to uninstall this update as shown below.

24356-uninstall-update.png

24444-uninstall-2.png

After successfully uninstall, the security options MMC could be opened then.

24378-security-option.png

So sorry for the inconvenience caused. Thank again for your support.


Best regards,
Hannah Xiong



uninstall-2.png (57.3 KiB)
security-option.png (58.4 KiB)
· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Do you have an update - this is impacting folks and we don't want to uninstall security updates......

0 Votes 0 · ·

bumping for an update as well

0 Votes 0 · ·
HenrikHallebrand-3524 avatar image
0 Votes"
HenrikHallebrand-3524 answered ·

Any update on this when it can be fixed or if you have a private fix for it? I guess all customers have problems with this.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DavideRadice-0354 avatar image
3 Votes"
DavideRadice-0354 answered ·

Workaround

• Use a non-RS1 OS to edit GPOs. For example, install the GP admin tools to a client OS.

• The crash can be avoided by deleting the following registry key. Please make sure to export the reg key before deleting anything. Deleting the key will cause the “Interactive logon: Display user information when the session is locked” policy to not appear in the console. (The policy is still effective, but you can’t see it in the UI to edit it). You will need to import the key back later, after the fix has been released.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit\Reg Values\MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/System/DontDisplayLockedUserId

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

INNOXY-0001 avatar image
0 Votes"
INNOXY-0001 answered ·

Thank you @DavideRadice-0354 for your interim fix, hope MS will fix this soon.

 reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit\Reg Values\MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/System/DontDisplayLockedUserId"


· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DonPickard-7259 avatar image
0 Votes"
DonPickard-7259 answered ·

MS acknowledged https://docs.microsoft.com/en-us/windows/release-information/status-windows-10-1607-and-windows-server-2016#1482msgdesc

 The resulting error dialog provides options to continue using the Management Console to view other nodes normally. Note: This issue does not affect the application of the Security Options or any other Group Policy Objects (GPOs) to devices in your environment.
    
 Affected platforms:
 Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
 Server: Windows Server 2016
 Workaround: To mitigate this issue, you can install Remote Administrative tools on a device running Windows 10, version 1709 or later. This will allow you to run Group Policy Management Console and edit GPOs on the affected server.
    
 Next steps: We are working on a resolution and will provide an update in an upcoming release.
· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MichaelMaher-9695 avatar image
0 Votes"
MichaelMaher-9695 answered ·

I've got this on DCs but also on at least one member server with the AD Tools installed

On that member server no admin tool which uses mmc.exe would launch.

I got "This app has been blocked for your protection" until I deleted the registry key and restarted

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.