The “CredSSP encryption oracle remediation” error when connecting to the remote computer’s desktop over RDP indicates that the remote host (most likely) or your computer is missing a security update that fixes a critical vulnerability in the CredSSP protocol.
Remote Desktop connection An authentication error has occurred. The function is not supported. Remote Computer: hostname This could be due to CredSSP encryption oracle remediation.
The Credential Security Support Provider (CredSSP) protocol is used to pre-authenticate users when the Network Level Authentication (NLA) protocol is enabled for Remote Desktop (RDP) connections. A critical vulnerability in the CredSSP protocol, which could lead to remote code execution via an open RDP port, was discovered and fixed in 2018 (CVE-2018-0886).
There are two possible scenarios if you receive this error:
- Your computer with the CredSSP update installed blocks connection to an unpatched RDP host with a vulnerable version of CredSSP. This is the most common case. This is usually because the operating system on the remote RDP host is being deployed from an old distro (RTM versions of Windows Server 2016/2012 R2/2008 R2, Windows 7, 8.1, or Windows 10 up to build 1803).
- A patched remote RDP (RDS) server blocks unpatched clients from connecting. It’s an opposite scenario. The client is running an old Windows build and the enforced mode is enabled on the Remote Desktop host to block vulnerable versions of CredSSP.
The recommended way to fix the CredSSP error is to download and install the latest cumulative security update rollup for your version of Windows released after May 2018 on the remote RDP host (or client, depending on the scenario). To check the latest Windows update installation date on a computer, use the PSWindowsUpdate module or the following WMI command in the PowerShell console:
gwmi win32_quickfixengineering |sort installedon -desc
If there are no updates installed after 2018, you can manually download the MSU update from the Microsoft Update Catalog or install it via Windows Update or the WSUS update server.
There is a temporary workaround that allows connecting a remote desktop with a vulnerable CredSSP version (not recommended for continuous use due to security reasons).
- Open the local GPO editor (
gpedit.msc) on the client computer (from which you are trying to establish an RDP connection) - Navigate to Computer Configuration -> Administrative Templates -> System -> Credentials Delegation
- Enable the policy Encryption Oracle Remediation and set the Protection Level to Vulnerable
- Update the group policy setting on the computer (run
gpupdate /forcecommand) - Attempt to connect to the remote host via RDP.
- Force Updated Clients – the most secure mode, which blocks vulnerable computer connections. If this option is enabled on the RDP host, it will block RDP connections from client computers with a vulnerable version of CredSSP.
- Mitigated – (used by default) in this mode, outbound RDP connections to remote hosts with a vulnerable version of CredSSP are not allowed. Incoming connections are allowed even from unpatched clients;
- Vulnerable – connections to RDP hosts with a vulnerable version of CredSSP are allowed (unsafe mode).
If you do not have a local GPO editor (for example, in Windows Home editions), you can make a direct registry change to allow RDP connections to servers with an unpatched version of CredSSP:
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 2
Once you have successfully connected to an RDP host, install the latest security updates on it. Then disable the Encryption Oracle Remediation policy on the client machine, or return the value 0 for the AllowEncryptionOracle registry parameter.
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 0
