Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Windows 10 / Fix RDP Connection Error ‘CredSSP Encryption Oracle Remediation’

July 23, 2024

Fix RDP Connection Error ‘CredSSP Encryption Oracle Remediation’

The “CredSSP encryption oracle remediation” error when connecting to the remote computer’s desktop over RDP indicates that the remote host (most likely) or your computer is missing a security update that fixes a critical vulnerability in the CredSSP protocol.

Remote Desktop connection
An authentication error has occurred.
The function is not supported.
Remote Computer: hostname
This could be due to CredSSP encryption oracle remediation.

windows 10 rdp error CredSSP encryption oracle remediation

This error can also look like this: An authentication error has occurred. The function requested is not supported.

The Credential Security Support Provider (CredSSP) protocol is used to pre-authenticate users when the Network Level Authentication (NLA) protocol is enabled for Remote Desktop (RDP) connections. A critical vulnerability in the CredSSP protocol, which could lead to remote code execution via an open RDP port, was discovered and fixed in 2018 (CVE-2018-0886).

There are two possible scenarios if you receive this error:

  • Your computer with the CredSSP update installed blocks connection to an unpatched RDP host with a vulnerable version of CredSSP. This is the most common case. This is usually because the operating system on the remote RDP host is being deployed from an old distro (RTM versions of Windows Server 2016/2012 R2/2008 R2, Windows 7, 8.1, or Windows 10 up to build 1803).
  • A patched remote RDP (RDS) server blocks unpatched clients from connecting. It’s an opposite scenario. The client is running an old Windows build and the enforced mode is enabled on the Remote Desktop host to block vulnerable versions of CredSSP.

The recommended way to fix the CredSSP error is to download and install the latest cumulative security update rollup for your version of Windows released after May 2018 on the remote RDP host (or client, depending on the scenario). To check the latest Windows update installation date on a computer, use the PSWindowsUpdate module or the following WMI command in the PowerShell console:

gwmi win32_quickfixengineering |sort installedon -desc

powershell: get last security update install date

If there are no updates installed after 2018, you can manually download the MSU update from the Microsoft Update Catalog or install it via Windows Update or the WSUS update server.

There is a temporary workaround that allows connecting a remote desktop with a vulnerable CredSSP version (not recommended for continuous use due to security reasons).

  1. Open the local GPO editor (gpedit.msc) on the client computer (from which you are trying to establish an RDP connection)
  2. Navigate to  Computer Configuration -> Administrative Templates -> System -> Credentials Delegation
  3. Enable the policy Encryption Oracle Remediation and set the Protection Level to VulnerableGPO option: Encryption Oracle Remediation - Vulnerable
  4. Update the group policy setting on the computer (run gpupdate /force command)
  5. Attempt to connect to the remote host via RDP.
The Encryption Oracle Remediation policy provides 3 levels of mitigation for the CredSSP vulnerability:

  • Force Updated Clients – the most secure mode, which blocks vulnerable computer connections. If this option is enabled on the RDP host, it will block RDP connections from client computers with a vulnerable version of CredSSP.
  • Mitigated – (used by default) in this mode, outbound RDP connections to remote hosts with a vulnerable version of CredSSP are not allowed. Incoming connections are allowed even from unpatched clients;
  • Vulnerable – connections to RDP hosts with a vulnerable version of CredSSP are allowed (unsafe mode).

If you do not have a local GPO editor (for example, in Windows Home editions), you can make a direct registry change to allow RDP connections to servers with an unpatched version of CredSSP:

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 2

registry parameter AllowEncryptionOracle

Once you have successfully connected to an RDP host, install the latest security updates on it. Then disable the Encryption Oracle Remediation policy on the client machine, or return the value 0 for the AllowEncryptionOracle registry parameter.

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 0

8 comments
9
Facebook Twitter Google + Pinterest
Windows 10Windows Server 2016
previous post
VMWare ESXi Doesn’t Detect FC HBA adapters
next post
Unable to Unmount/Delete VMFS Datastore: The Resource Is in Use

Related Reading

How to Disable UAC Prompt for Specific Applications...

March 11, 2024

Fix: Photos App in Windows 10 Opens Extremely...

April 19, 2023

Protecting Remote Desktop (RDP) Host from Brute Force...

February 5, 2024

Software RAID1 (Mirror) for Boot Drive on Windows

February 24, 2025

How to Get My Public IP Address with...

October 24, 2023

How to Upgrade Windows Build from an ISO...

November 7, 2024

Unable to Access SYSVOL and NETLOGON folders from...

May 10, 2023

Disks and Partitions Management with Windows PowerShell

March 11, 2024

8 comments

Vandrey Trindade May 11, 2018 - 11:57 am

Hi,
I have seen that problem yesterday on a server that I can’t update.
What I did to fix for the client to be able to connect to the server was to deselect the box “Allow connections only from computers running Remote Desktop with Network Level Authetication (recommended)”.

Reply
Radj May 11, 2018 - 4:58 pm

Hi,
Thanks for the info! Please clarify:
Have you disabled NLA on the server side?
Do you use Windows Server 2003 / Win XP or something similar as an RDP server?
What is the Windows version on the client? Did you enable the policy Oracle Remediation Encryption = Vulnerable on the client computer?

Reply
Vandrey Trindade May 15, 2018 - 12:00 pm

RADJ,

Sorry… I’ve just seen your reply…
Q: Have you disabled NLA on the server side? A: Yes
Q: Do you use Windows Server 2003 / Win XP or something similar as an RDP server? A: No
Q: What is the Windows version on the client? A: Windows 7
Q: Did you enable the policy Oracle Remediation Encryption = Vulnerable on the client computer? A: No

As the server can’t be updated, it doesn’t has that group policy to configure…
So the quick fix was to deselect that box.
In this other site I saw a regedit solution:
http://jermsmit.com/credssp-encryption-oracle-remediation/

Reply
Andry May 15, 2018 - 5:00 am

Is there a solution how to connect to the RDS farm from a computer running Windows XP Sp3?

Reply
max May 15, 2018 - 5:04 am

Most likely the AllowEncryptionOracle = 2 registry parameter on computers with Windows XP will not work. Most likely, to connect to RDS from clients on XP, you need to switch the Encryption Oracle Remediation policy to the Mitigated/ Vulnerable level on terminal servers. However, the RDS server will be vulnerable to the exploitation of the CredSSP vulnerability (CVE-2018-0886). You will also have to disable the Network Level Authentication on RDS server (however, there is also a workaround for enabling NLA in Windows XP SP3). Those, it should be used only as a temporary solution, until you update the OS on clients to Windows 10 / 8.1 / 7.

Reply
kevin November 5, 2018 - 11:37 am

You can also connect via windows 10 ‘remote desktop’ app .. just to get you in and run updates

Reply
dama purnama sidhi January 30, 2019 - 2:44 am

thanks it work in my win 10 home

Reply
KC July 16, 2019 - 9:16 am

Please sync your time and location first

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Booting Windows from GPT Disk on BIOS (non-UEFI) Computer
  • Removable USB Flash Drive as Local HDD in Windows
  • How to increase KMS current count (count is insufficient)
  • How to Disable UAC Prompt for Specific Applications in Windows
  • How to Connect L2TP/IPSec VPN Server From Windows
  • Managing Printers and Drivers on Windows with PowerShell
  • How to Install Only Specific Apps in Office 2021/2019 or Office 365
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top