This is almost too sick to be true: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0295
Summary: windows server 2016 allows any user to pre-seed the template for new user profiles with malware in the autostart folder, all due to negligence@microsoft.com - Incredible. Think of terminal servers!
"Yet one more reason to keep current on updates" - I'd rather call it "one more reason to use applocker". Patches alone don't help. Also, the issue is not fully fixed by the patch. The startup folder is blocked for writing after the patch, but the rest of the profile is not. So still users can place malicious in the start menu template for new users. Microsoft is too lame to see.
This is true for server 2016 and any win10 system that is or has has ever been on v1607. See https://beingwinsysadmin.blogspot.de/2017/07/bug-windows-10-default-user-profile-is.html for the whole story.
So this year I decided it was really about time I applied for the
@vExpert subprograms, and guess what! I'm in! So Thanks to our Programme Manager @vCommunityGuy and Sub Programme Business Units!