After installing Windows security updates released after May 2018, you may encounter the “CredSSP encryption oracle remediation” error when attempting to RDP connect to a remote server and a Windows computer in the following cases:
- You are connecting to the remote desktop of a computer with a recently installed old (e.g., RTM) version of Windows (e.g., Windows 10 below build 1803, Windows Server 2012 R2, Windows Server 2016) that does not have the latest Windows security updates installed.
- You are trying to connect to an RDP computer that has not received Microsoft updates for a long time.
- RDP connection is blocked on the remote computer because the necessary security updates are missing on your client computer.
In these cases, it’s essential to ensure that both your client computer and the remote computer have the necessary security updates installed to resolve the CredSSP encryption oracle remediation error. You can follow the steps mentioned in the previous response to address this issue.
Let’s try to understand what the RDP error “CredSSP encryption oracle remediation” means and how it can be fixed.
So, when attempting to connect to a RemoteApp application on RDS servers running Windows Server 2016 / 2012 R2 / 2008 R2, or when connecting to remote desktops of other users using the RDP protocol (on Windows 10, 8.1, or 7), you encounter an error:
Remote Desktop connection
An authentication error has occurred.
The function is not supported.
Remote Computer: hostname
This could be due to CredSSP encryption oracle remediation.
This error is related to the fact that on the Windows Server or the standard desktop version of Windows you are trying to connect to via RDP, security updates for Windows (at least since March 2018) have not been installed.
The issue stems from the fact that in March 2018, Microsoft released an update that addressed a vulnerability in the CredSSP (Credential Security Support Provider) protocol that could be exploited for remote code execution. The details of this problem are described in the CVE-2018-0886 bulletin. In May 2018, an additional update was released, which, by default, prevents Windows clients from connecting to remote RDP servers with vulnerable (unpatched) versions of the CredSSP protocol.
Therefore, if you have not installed cumulative security updates on your RDS/RDP servers (computers) running Windows since March 2018, and your RDP clients have May updates (or newer) installed, you will encounter an error when attempting to connect to RDS servers with unpatched versions of CredSSP. The error message you see is: “This could be due to CredSSP encryption oracle remediation.”
The RDP client error occurs after the installation of the following security updates:
- Windows 7 / Windows Server 2008 R2 — KB4103718
- Windows 8.1 / Windows Server 2012 R2 — KB4103725
- Windows Server 2016 — KB4103723
- Windows 10 1803 — KB4103721
- Windows 10 1709 — KB4103727
- Windows 10 1703 — KB4103731
- Windows 10 1609 — KB4103723
To restore remote desktop connection, you can remove security updates on the client computer from which you are initiating the RDP connection (though this is not recommended, as there is a more secure and proper solution).
To resolve the issue, you can temporarily disable the CredSSP version check on the computer you are connecting from using RDP. You can do this through the Local Group Policy Editor. Here’s how:
- Open the Local Group Policy Editor by running “gpedit.msc.”
- Navigate to Computer Configuration -> Administrative Templates -> System -> Credentials Delegation.
- Locate the policy named “Encryption Oracle Remediation.”
- Enable the policy (“Enabled”) and choose “Vulnerable” from the dropdown list as the setting.
Once you’ve done this, update the policies on your computer using the command “gpupdate /force” and try connecting via RDP to the remote computer. With the “Encryption Oracle Remediation” policy enabled and set to “Vulnerable,” your terminal applications that support CredSSP will be able to connect to RDS/RDP servers and Windows computers, even if they lack the latest security updates.
The “Encryption Oracle Remediation” policy offers three available levels of CredSSP vulnerability protection:
- Force Updated Clients: This provides the highest level of protection, where the RDP server prohibits connections from clients that are not updated. This policy is typically enabled after the entire infrastructure is fully updated, and the latest security updates are integrated into Windows installation images for servers and workstations.
- Mitigated: In this mode, outgoing remote RDP connections to RDP servers with vulnerable CredSSP versions are blocked. However, other services using CredSSP continue to work normally.
- Vulnerable: This is the lowest level of protection, allowing connections to RDP servers with vulnerable CredSSP versions.
If you don’t have the Local Group Policy Editor (e.g., in Home editions of Windows), you can make the change to allow RDP connections to servers with unpatched versions of CredSSP directly in the registry using the provided command.
REG ADD
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters
/v AllowEncryptionOracle /t REG_DWORD /d 2
Import-Module ActiveDirectory
$PSs = (Get-ADComputer -Filter *).DNSHostName
“You can change this registry parameter on multiple computers in AD using domain GPO (gpmc.msc console) or with a PowerShell script (you can obtain a list of computers in the domain using the Get-ADComputer cmdlet from the RSAT-AD-PowerShell module):
- PowerShell using the RSAT-AD-PowerShell module:
First, make sure you have the RSAT-AD-PowerShell module installed. If it’s not installed, run the following command:
Install-WindowsFeature RSAT-AD-PowerShell
After that, you can use the following PowerShell script to change the parameter on multiple computers in the domain:
-
# Get a list of computers in the domain
$computers = Get-ADComputer -Filter *# Iterate through each computer and make changes to the registry
foreach ($computer in $computers) {
# Set the registry parameter value on the computer
Invoke-Command -ComputerName $computer.Name -ScriptBlock {
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" -Name "AllowEncryptionOracle" -Value 2
}
}
- Group Policy through gpmc.msc:
- Open the Group Policy Management Console on a domain controller or another computer with RSAT Tools installed.
- Create a new GPO or use an existing one that you want to configure.
- Inside the GPO, navigate to Computer Configuration -> Preferences -> Windows Settings -> Registry.
- Create a new registry entry (New -> Registry Item).
- Configure this registry entry to set the parameter value on computers in your domain.
After configuring the GPO, ensure that it is applied to the desired computers and perform a Group Policy update on client computers.”
This should help you apply the necessary changes to multiple computers in your domain to address the issue mentioned earlier.
After successfully connecting to a remote RDP server (computer), you need to install the latest security updates on it via the Windows Update service (make sure the service is enabled) or manually. Download and install the latest cumulative Windows updates as shown above. If you encounter the error “This update is not applicable to your computer” during the installation of an MSU update, please refer to the article at the provided link.
For Windows XP/Windows Server 2003, which are no longer supported, you should install updates for Windows Embedded POSReady 2009. For example, https://support.microsoft.com/en-us/help/4056564.
After installing updates and restarting the server, don’t forget to disable the policy on clients (or set it to “Force Updated Clients”), or set the registry key “AllowEncryptionOracle” to 0. In this case, your computer will not be at risk of connecting to unprotected hosts with CredSSP and exploiting the vulnerability.
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 0 /f
There is another scenario where updates are missing on your computer. For instance, the RDP server is updated, but it has a policy that blocks RDP connections from computers with a vulnerable version of CredSSP (Force Updated Clients). In this case, when attempting an RDP connection, you will also see the error “This could be due to CredSSP encryption oracle remediation.”
Check the last installation date of Windows updates on your computer using the PSWindowsUpdate module or through a WMI command in the PowerShell console:
gwmi win32_quickfixengineering | Sort-Object InstalledOn -Descending
In this example, you can see that the latest Windows security updates were installed on June 17, 2018.
Please be cautious when editing Group Policy and the Windows Registry, as making incorrect changes can cause system issues. If you are not comfortable with these procedures, consider seeking assistance from someone with expertise in Windows system administration.
This article incorporates information and material from various online sources. We acknowledge and appreciate the work of all original authors, publishers, and websites. While every effort has been made to appropriately credit the source material, any unintentional oversight or omission does not constitute a copyright infringement. All trademarks, logos, and images mentioned are the property of their respective owners. If you believe that any content used in this article infringes upon your copyright, please contact us immediately for review and prompt action.
This article is intended for informational and educational purposes only and does not infringe on the rights of the copyright owners. If any copyrighted material has been used without proper credit or in violation of copyright laws, it is unintentional and we will rectify it promptly upon notification. Please note that the republishing, redistribution, or reproduction of part or all of the contents in any form is prohibited without express written permission from the author and website owner. For permissions or further inquiries, please contact us.