Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows 10 / RDP Authentication Error: CredSSP Encryption Oracle Remediation

September 10, 2019 Windows 10Windows Server 2008 R2Windows Server 2012 R2Windows Server 2016

RDP Authentication Error: CredSSP Encryption Oracle Remediation

After installing the Windows security updates that issued after May 2018, you may face the CredSSP encryption oracle remediation error during RDP connection to the remote Windows server or computer in the following cases:

  • You are trying to connect to the remote desktop of a computer with a recently installed old Windows version (for example, Windows 10 RTM, or build 1709 or older, Windows Server 2012 R2, Windows Server 2016), on which the latest Windows security updates are not installed;
  • You are trying to connect via RDP to a computer on which Microsoft updates have not been installed for a long time;
  • The remote computer blocked RDP connection because the necessary security updates are missing on your computer.

Let’s try to understand what the RDP error CredSSP encryption oracle remediation means and how to fix it.

So, when trying to connect to the RemoteApp on RDS servers running Windows Server 2016/2012 R2/2008 R2, or to remote desktops of other users using the RDP protocol (on Windows 10, 8.1 or 7), an error appears:

Remote Desktop connection
An authentication error has occurred.
The function is not supported.
Remote Computer: hostname
This could be due to CredSSP encryption oracle remediation.

windows 10 rdp error CredSSP encryption oracle remediation

This error occurs due to the fact that Windows security updates (at least since March 2018) were not installed on remote Windows instance, to which you are trying to connect via RDP.

This error may also look like this: An authentication error has occurred. The function requested is not supported.

In March 2018, Microsoft released updates that block remote code execution using a vulnerability in the CredSSP (Credential Security Support Provider) protocol (bulletin CVE-2018-0886). In May 2018, an additional update was published, which by default prevents Windows clients from connecting to remote RDP servers with a vulnerable (unpatched) version of the CredSSP protocol.

Thus, if you have not installed cumulative security updates on your Windows RDS/RDP servers (computers) since March 2018, and May 2018 updates (or newer) were installed on RDP clients, then when you try to connect to RDS servers with an unpatched version of CredSSP an error appears: This could be due to CredSSP encryption oracle remediation.

The RDP error on clients appears after the following security updates are installed:

  • Windows 7 / Windows Server 2008 R2 — KB4103718
  • Windows 8.1 / Windows Server 2012 R2 — KB4103725
  • Windows Server 2016 — KB4103723
  • Windows 10 1803 — KB4103721
  • Windows 10 1709 — KB4103727
  • Windows 10 1703 — KB4103731
  • Windows 10 1609 — KB4103723
This list shows the KB numbers from May 2018; at the moment you need to download and install the latest cumulative update package for your Windows edition. You can get the latest security updates through Windows Update from Microsoft servers, from a local WSUS server, or manually download hotfix *.msu files from the Microsoft Update Catalog (https://www.catalog.update.microsoft.com/Home.aspx). For example, to search for August 2019 updates for Windows 10 1803, you need to use the following search query: windows 10 1803 x64 8/*/2019. Download and install the Windows cumulative update (in my example, it is “2019-08 Cumulative Update for Windows 10 Version 1803 for x64-based Systems (KB4512509)”.  download latest windows security update from microsoft catalog

To restore remote desktop connection, you can uninstall the specified security update on the remote computer (but it is not recommended and you should not do this, there is a more secure and correct solution).

To fix the connection problem, you need to temporarily disable the CredSSP version check on the computer from which you are connecting via RDP. This can be done using the local Group Policy editor.

  1. Run the local GPO editor: gpedit.msc;
  2. Go to the GPO section Computer Configuration -> Administrative Templates -> System -> Credentials Delegation;
    GPO Encryption Oracle Remediation
  3. Locate the policy with the name Encryption Oracle Remediation, enable the policy and set the Protection level to Vulnerable;Allow Vulnerable CredSSP rdp connection
  4. Update the policy setting on the computer (run gpupdate /force command) and try to connect to the remote server via RDP. With the Oracle Remediation Encryption policy set to Vulnerable, client applications with CredSSP support will be able to connect even to unpatched RDS/RDP endpoints.
Encryption Oracle Remediation policy offers 3 available values to protect against CredSSP vulnerability:

  • Force Updated Clients — the highest protection level when the RDP server blocks the connection from non-patched clients. Usually, this policy should be enabled after you have completely updated the entire infrastructure and added the latest security updates to the Windows install images for servers and workstations;
  • Mitigated — in this mode, an outgoing remote RDP connection to RDP servers with a vulnerable version of CredSSP is blocked. However, other services using CredSSP work fine;
  • Vulnerable — the lowest level of protection when connecting to an RDP server with a vulnerable version of CredSSP is allowed.

If you do not have a local GPO editor (for example, in Windows Home editions), you can make a directly registry change that allows RDP connection to servers with unpatched version of CredSSP:

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 2

registry parameter AllowEncryptionOracle

You can change AllowEncryptionOracle registry parameter on multiple computers in AD using a domain GPO or with such a PowerShell script (you can get a list of computers in the domain using the Get-ADComputer cmdlet from the RSAT-AD-PowerShell module):

$computers = (Get-ADComputer -Filter *).DNSHostName
Foreach ($computer in $computers) {
Invoke-Command -ComputerName $computer -ScriptBlock {
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 2
}
}

After successfully connecting to a remote RDP server (computer), you need to install the latest security updates through the Windows Update (verify that the wuauserv service is enabled) or manually. Download and install the latest cumulative Windows updates from the Microsoft Update Catalog website as shown above. If the error “The update is not applicable to your computer” appears when installing the MSU update, read the article using the link above.

For Windows XP/Windows Server 2003 that are no longer supported, you need to install updates for Windows Embedded POSReady 2009. For example: https://support.microsoft.com/en-us/help/4056564.

After installing the updates and rebooting the server, don’t forget to disable the policy on the clients (either switch it to the Force Updated Clients), or return the value of the AllowEncryptionOracle registry parameter to 0. In this case, your computer will not be at risk of connecting to CredSSP unprotected hosts and exploitation of the vulnerability.

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 0

There is another scenario in which updates are not installed on your computer. For example, the RDP server is updated, but it has a policy that blocks RDP connections from computers with the vulnerable version of CredSSP (Force Updated Clients policy setting). In this case, you will also see the RDP connection error “This could be due to CredSSP encryption oracle remediation”.

Check the Windows updates last install date on your computer using the PSWindowsUpdate module or through the WMI command in the PowerShell console:

gwmi win32_quickfixengineering |sort installedon -desc

powershell: get last security update install date
This example shows that the latest Windows security updates were installed on June 17, 2018. Download and install the newer MSU cumulative update file for your Windows edition (see above).

8 comments
4
Facebook Twitter Google + Pinterest
previous post
VMWare ESXi Doesn’t Detect FC HBA adapters
next post
Unable to Unmount/Delete VMFS Datastore: The Resource Is in Use

Related Reading

Configuring Event Viewer Log Size on Windows

May 24, 2023

How to Detect Who Changed the File/Folder NTFS...

May 24, 2023

Enable Single Sign-On (SSO) Authentication on RDS Windows...

May 23, 2023

Allow Non-admin Users RDP Access to Windows Server

May 22, 2023

How to Create, Change, and Remove Local Users...

May 17, 2023

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configuring Event Viewer Log Size on Windows

    May 24, 2023
  • How to Detect Who Changed the File/Folder NTFS Permissions on Windows?

    May 24, 2023
  • Enable Single Sign-On (SSO) Authentication on RDS Windows Server

    May 23, 2023
  • Allow Non-admin Users RDP Access to Windows Server

    May 22, 2023
  • How to Create, Change, and Remove Local Users or Groups with PowerShell?

    May 17, 2023
  • Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

    May 16, 2023
  • View Success and Failed Local Logon Attempts on Windows

    May 2, 2023
  • Fix: “Something Went Wrong” Error When Installing Teams

    May 2, 2023
  • Querying Windows Event Logs with PowerShell

    May 2, 2023
  • Configure Windows LAPS (Local Administrator Passwords Solution) in AD

    April 25, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Booting Windows 7 / 10 from GPT Disk on BIOS (non-UEFI) systems
  • Error Code: 0x80070035 “The Network Path was not found” after Windows 10 Update
  • Removable USB Flash Drive as Local HDD in Windows 10 / 7
  • How to increase KMS current count (count is insufficient)
  • How to Disable UAC Prompt for Specific Applications in Windows 10?
  • How to Create a UEFI Bootable USB Drive to Install Windows 10 or 7?
  • Configuring L2TP/IPSec VPN Connection Behind a NAT, VPN Error Code 809
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top