Post MS16-072 (Windows Update) Group policy objects that have scopes other than Authenticated Users or a specific Computer need to have Domain Computers added onto the delegation in order to apply.
To add Domain Computers on to new GPOs:
1. Connect to the AD Schema from ADSI Edit:
2. Expand the CN=Schema, CN=Configuration… tree. Navigate down to CN=Group-Policy-Container, double click it
3. On the defaultSecurityDescriptor attribute, go to the very end and very carefully copy and paste the following:
(A;CI;LCRPLORC;;;DC)
Press OK
4. Finally, open MMC.exe, add the AD Schema snap in. (If it doesn't appear, type regsvr32 schmmgmt.dll into an elevated command prompt) then try again
5. Once the AD Schema snap in has snapped in. Double click it to load it, then right click and Reload Schema.
Now all new policies will have Domain Computers added to their delegation.