Prior to deploying MS16-072 / KB3159398 to our Win7 and Win8 systems, we reviewed all our GPOs and added Authenticated Users with read where it was removed for security filtered GPOs per the Microsoft guidance due to the user policy processing context changing from user based to computer based.
We have now deployed KB3159398 to a few test win7 and win8 systems and after comparing before and after gpresult reports are seeing a different issue impacting the Windows 7 systems only, we are wondering if Microsoft is aware of this additional issue with the patch.
After receiving the patch Win7 systems are showing anAD / SYSVOL Version Mismatch Alert with the SYSVOL version showing as 65535 for almost all computer policy as well as user policy GPOs. Win8 systems with the patch deployed are not showing issue and show no alerts, and they show the AD / SYSVOL version in sync as normal.
When looking at the details for a specific GPO, the SYSVOL version now shows as SYSVOL (65535). Looking at other articles online, it appears this version that is displayed is likely not correct and may be due to the GPO being inaccessible to the computer or user (when a GPO is not accessible to the computer or user, the GP engine stores the SYSVOL version as hex FFFF, which translates to a decimal value of 65535).
I am wondering is Microsoft is aware of this as another issue with patch KB3159398?
I should clarify that the mismatch is showing for many GPOs that have always had Authenticated Users listed in Security Filtering (read and apply group policy), as well as for computer policy, so it isn't only showing for GPOs where Auth users was recently added.
I do see other people reporting this exact issue here: