I posted this a day or two ago and guess I didn't get enough detail. I thought the simple fix was to add Authenticated Users under Delegation and give them Read privileges but I don't think this is correct. Don't they need Read and Apply GPO?
Secondly I thought Authenticated Users (Read and Apply GPO) was just a standard, every GPO should have it under Delegation, but when I add Authenticated Users under Delegation it also adds Authenticated Users under Scope. I don't want that. I have a specific security group under Scope and when added that group is automatically put it under Delegation with Read and Apply GPO permissions.
So I am a little confused about what KB3159398 actually did. I don't really want to add caret Blanche add Authenticated Users under Delegation where ever it is missing do I?