This issue is addressed in Microsoft Windows 8, Windows 8.1, Windows 10, and Windows Server 2012, 2016. As a reminder, the Policy Enforcement Process (PEP) applies to all systems that run a GPO. This includes domain-joined computers, Windows devices (such as Windows phones), and Windows servers. All systems that run a GPO are subject to the PEP, so a compromised system can elevate privileges on any system that runs a GPO. When a system runs a GPO and the system has been compromised, the PEP will not prevent the system from attempting to gain higher privileges on that system. This is an instance of a PEP-enabled system attempting to elevate privileges from the system that runs the policy. As a result, a system that has been compromised can potentially elevate privileges on any system that runs a GPOn a domain-joined computer, the PEP is enforced at the system level. Therefore, a domain-joined computer can potentially elevate privileges on a domain controller. This issue does not occur on domain controllers. It only occurs when a domain-joined computer is used as a client to a domain, a workgroup, or a non-domain network that is running a GPO.
In Windows 10 and Windows Server 2016, the PEP applies to all systems that run a GPO. This includes domain-joined computers, Windows devices (such as Windows phones), and Windows servers. All systems that run a GPO are subject to the
Windows Server 2012 and 2016
Windows Server 2012 and Windows Server 2016 do not have this issue.
How Windows 10 and Windows Server 2016 Prevent Elevation of Privilege
In Windows 10 and Windows Server 2016, there are enhancements to the PEP that prevent a compromised system from elevating privileges on a domain-joined computer. A compromised system can only attempt to elevate privileges on another system that runs a GPO, not directly on the domain controller. The following are changes in the PEP:
This issue is addressed in Microsoft Windows 8, Windows 8.1, Windows 10, and Windows Server 2012, 2016. As a reminder, the Policy Enforcement Process (PEP) applies to all systems that run a GPO. This includes domain-joined computers, Windows devices (such as Windows phones), and Windows servers. All systems that run a GPO are subject to the PEP, so a compromised system can elevate privileges on any system that runs a GPO. When a system runs a GPO and the system has been compromised, the PEP will not prevent the system from attempting to gain higher privileges on that system. This is an instance of a PEP-enabled system attempting to elevate privileges from the system that runs the policy. As a result, a system that has been compromised can potentially elevate privileges on any system that runs a GPOn a domain-joined computer, the PEP is enforced at the system level. Therefore, a domain-joined computer can potentially elevate privileges on a domain controller. This issue does not occur on domain controllers. It only occurs when a domain-joined computer is used as a client to a domain, work
Windows 10 and Windows Server 2016 Mitigation
This issue will be addressed in the next cumulative update to Windows 10 and Windows Server 2016, the security update released on May 29, 2017. This update will include a new GPO configuration option that was introduced in the Security Update for Microsoft Windows (KB4056894). When enabled, this configuration option prevents a compromised system that is running a GPO from elevating its privileges on a system that runs a GPO.
The PEP does not apply to domain controllers. It only applies to domain-joined computers and other systems running a GPO.
Timeline
Published on: 10/11/2022 19:15:00 UTC
Last modified on: 10/12/2022 14:04:00 UTC