- EC2 Image Builder: Build your golden VM images on AWS - Wed, Jan 19 2022
- Configuring DFS Namespaces for Amazon FSx for Windows file servers - Fri, Jan 7 2022
- AWS Systems Manager Session Manager: Securely connect EC2 instances - Wed, Dec 22 2021
The issue
In March, Microsoft released a security update to address vulnerabilities for the Credential Security Support Provider protocol (CredSSP) used by Remote Desktop Protocol (RDP) connections for Windows clients and Windows Server.
Previously, you were able to connect remotely from the updated machine to machines without the update. However, with the latest update released this May, Microsoft hardened security, and you can no longer connect to machines without the update.
You will face the CredSSP encryption oracle remediation error if you have applications or services such as the Remote Desktop Connection that use CredSSP on an updated machine. Authentication will not work and you will get this error message:
An authentication error has occurred. The function requested is not supported. Remote computer: This could be due to CredSSP encryption oracle remediation.
RDP authentication failed
The solution
To solve this issue, you have to install the update on the servers. However, if you need to connect to a computer that hasn't received the update, you can downgrade the protection level to Vulnerable. You can do this either via Group Policy or by changing the registry.
The Group Policy setting you need is Encryption Oracle Remediation. It provides three protection levels:
- Force Updated Clients: This is the highest level of protection because it requires applying the update to all clients you are going to communicate with using CredSSP. Thus, do not choose this option before applying the update to all of your clients and servers.
- Mitigated: This level blocks applications such as the Remote Desktop Connection to connect to servers that do not have the update. However, services that use CredSSP will work.
- Vulnerable: This is the lowest level of protection. It will allow you to connect to servers remotely using RDP. However, it will expose the servers to attacks.
To set the protection level to Vulnerable via Group Policy, follow these steps:
- Execute gpedit.msc.
- Navigate to the following path: Computer Configuration > Administrative Templates > System > Credentials Delegation.
- Edit the following setting: Encryption Oracle Remediation.
- Set it to Enabled, and set the protection level to Vulnerable.
Change the protection level to Vulnerable
Also, you can do it via the registry. This will provide the protection levels via numerical values:
- Force Updated Clients: 0
- Mitigated: 1
- Vulnerable: 2
To change the registry key to Vulnerable, you can run the following commands:
$RegPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\" New-ItemProperty -Path $RegPath -Name AllowEncryptionOracle -Value 2 -PropertyType DWORD -Force
Also ran into this in the last couple of weeks. I found the workaround before I saw this, but thanks for posting an explanation as to the reasoning behind it.
Good Article Mohamed! I will strongly suggest to read the article and in detail CVE-2018-0886. When I found that issue few weeks ago after the CVE article I’ve decided to patch immediately few servers, the main reason is that “Any change to Encryption Oracle Remediation requires a reboot.” so I preferred to apply the hotfix instead of applying a regkey or create a group policy that should apply the change and after patching revert the change.
Using Invoke-Command and Get-HotFix is possible to check/scan quickly if servers/hosts are already patched or with get-winevent (System, EventID 6041) on some clients to collect text message of the connection failed without even trying to RDP on each computer on different network or environment.
Hello Paolo,
Thank you so much for sharing such a brilliant idea with me. However, we need to consider that many IT admins do not prefer to apply updates on their servers and clients one shot. They regularly do it in phases to avoid any unexpected behaviors from the update. That’s why the first thing you would do would be either changing the group policy or the registry in order to workaround the issue and proceed with your operations. Also, when I tested that either in test labs or in customers sites’, it did not require a reboot.
Finally, when the company decides to update all the clients and servers, it would be better to change the group policy from the DC to avoid repeating the tasks on the all clients/servers they have changed the policy for it earlier.
In production you cannot just check/scan updates using PowerShell. Commonly, they are using SCCM or WSUS or any third party tool.
However, your way of thinking about it is very brilliant for Workgroup computers.
I agree with you in managing servers with SCCM, that leverages WSUS and I also follow the common sense of applying changes on a test ring and after a positive result move to the next one. Keep in mind that as admins we also apply the same common practice to group policies and registry changes.
If this issue creates an outage it means that the some of the servers weren’t patched and the request or incident needs to be managed according to the service.
Regarding the production environment, it depends by the kind of access and accountability that you have and most importantly which process to follow to apply any change, if updates are scheduled for patching Tuesday or 1 month behind and so on.
But in this case really mitigation strategy almost takes longer in total more to test, deploy than fix it once. In my case for workarounds I suggested to rdp to an un-patched client that was offline and use it as a jumpbox to rdp to the un-patched hosts, lucky that in my case the hosts to patch were really infinitely small percentage.
Mohamed, once we apply the workaround registry key prior to patch cycle, that leaves us ‘vulnerable’ so-to-speak. Once we get around to applying the patches in CVE-2018-0886 (KB 4093120), does make us ‘secure’ again or do we need to then apply that registry entry to the value of: 0 (zero) to force updated clients?
I just want to make sure we don’t leave ourselves vulnerable even after the patch…
Thank you.
Hello Rory,
When you apply the workaround that makes the RDP session exposed for attacks, even when you apply the update, it will not change the protection level automatically. So, you will have to apply a higher protection level again either via registry or group policy.
Thanks for the clarification on that. I think that’s one thing a lot of us IT Admins forget about doing after we apply workarounds. It’s good that Paolo mentioned the Invoke and get-hotfix commands to easily tell if the machine is still vulnerable or not. Good Stuff!
Let’s say we apply the May patch to the client and the server and do nothing else. Do we still need to apply a GPO to the client and the server to ‘force updated clients’ or is the patch good enough at this point? If anyone can clarify this that would be great.
If the patch is applied for the client and the server, you need to do nothing, but in case you cannot or you are patching your server in phases, you need to consider this workaround.
That worked. Thank you!
it didn’t work 🙁
Restart the client and try again
Good article! I think it is a good workaround as temporary solution waiting to update both side (client and server) in order to be safe from remote attacks.
For your info, Microsoft has published another article if you get the “CredSSP encryption oracle remediation” error when you are connecting via RDP to Windows VM in Azure from the local client.
Link : “CredSSP encryption oracle remediation” error when RDP to a Windows VM in Azure
What do I do if “Oracle Remediation Delegation” isn’t there?
Please help!
What is exactly your issue ? This article describes workaround when you get “CredSSP encryption oracle remediation” error message.
Hi guys,
I have same problem, thought was server 2012 R2 having problem. Ended up is easy fixed. Takes less than 2 minutes
Windows 10
install Microsoft Remote Desktop from Microsoft Store
launch it and see if works
It totally worked for me. Thank for sharing. I am using RDP wrapper with Windows 10 and after an update to one of the client system, just that system with the update could not connect Remote Desktop.
I downloaded the remote desktop client app from Windows app store and everything is fine.
Thanks again @Erik, it did took 2 minutes.
I followed all the steps you stated but couldn’t find Credentials Delegation after i clicked “SYSTEM”. What do I do?
Hello Mohamed.
I followed the same step as indicated but there was no option of Credentials Delegation on the settings. What do I do?
Computer Configuration > Administrative Templates > System > Credentials Delegation.
In that case, you might want to try to PowerShell script I’ve stated in the article:
$RegPath = “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\”
New-ItemProperty -Path $RegPath -Name AllowEncryptionOracle -Value 2 -PropertyType DWORD -Force
If it displayed an error that CredSSP does not exist, then you need to create it and the CredSSP and Paramerters containers before running the previous script by running the following Cmdlets:
New-Item HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\
and
New-Item HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\
Script didn’t work. This is unbearably frustrating.
Hi
I am expericing this issue on 300 remote desktops! None of the above workarounds work for me
My current “workaround” is:
-Mount Windows OS ISO the machine
-Run the installed and “Reinstall/Repair” the Windows Installation
-Run Windows Update
-Patch Installs and RDP is now working
Can anyone advise why my process is so long/anything else I can try to remediate the issue for the other 298 machines 🙁
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4103723
Install this patch it will definitely help u…
if you want to install this patch in all 300 machines from remote support.
you can also install Microsoft Remote Desktop from Microsoft Store and then take each machine and install this patch..
hope this will help you out……..
Dhana
India-Chennai
Thanks Dhana,
It is working
reg add hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 2
From an elevated command prompt run the following;
reg add hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 2
You will then be able to log into your server.
This did not work for me Adrian 🙁
Did you run it from an elevated command prompt? Any error messages? It needs to be run on the computer you have launched RDP from.
Thanks you are the only one who mention that ( It needs to be run on the computer you have launched RDP from.)
Thanks again
I have two different parties managing the desktop and the server and have limited access to the configuration information on either side. It’s not entirely clear to my how to tell which side has not been upgraded with the CSSP patch. My working assumption is that it is the server side (running on Azure) that did the upgrade, and that the desktop side has not has CSSP upgraded.
I have access and control on the server side, but not to the Desktop. Getting the upgrade going for the desktops in the short team is rather an impossible task within a large corporation. So can we just make this change on the server side to downgrade CSSP to vulnerable status. My assumption here is that when corporate IT gets a round TUIT, we will d then get a connection error message again, which will prompt to set the server side CSSP level to a higher level.
Incase if want to check patch is installed for each version.
Note: This last as date of 31/7/2018
Windows 8.1/Windows Server 2012 R2
dism /online /get-packages | findstr KB4093120
Cumulative Update For Windows 10 Version 1607 (Earlier then that required to be updated)
dism /online /get-packages | findstr KB4093119
Cumulative Update For Windows 10 Version 1703 April 2018
dism /online /get-packages | findstr KB4093117
Cumulative Update For Windows 10 Version 1709 May 2018
dism /online /get-packages | findstr KB4103714
Cumulative Update For Windows 10 Version 1709 December 2017
dism /online /get-packages | findstr KB4054517
Cumulative Update For Windows 10 Version 1803 May 2018
dism /online /get-packages | findstr KB4103721
It work but when i restart my pc the value change to 1 again, is there a solution to this?
Hey mate,
Thanks for sharing the PowerShell Command.
It didn’t work with the GUI, however, worked like a charm with the command.
Hopefully it won’t change back to value 0 or 1.
Have a good day!
thank you
@Mr.Mohamed A. Waly you given solution is proper usable…
Thanks a lot…
gpedit.msc is not working on Windows 10 Home.
Please help…
Praveen Yadav
Windows 10 Home does not support Remote Desktop or Group Policy settings. You need at least Win Pro
Thanks 🙌