There is a bug in the september cumulative (security-) update for windows server 2016 1607 that cripples the ability to pre-set security options using GPOs. Microsoft is aware of the problem and there are two workarounds mentioned.
PSEXEC vulnerability! Must-read for admins who use it. Please note that you might not be aware that you use it since it is incorporated into some software products that interact with remote systems, so read it anyway!
0patch has issued a patch, Microsoft has not (yet). Only patches psexec v2.2!
Update: Microsoft released a new patched version. To use it against machines that you used the old version against, you need to launch this command 1st, or it will fail:
net stop psexecsvc & sc remove psexecsvc