In March 2018, Microsoft released a security update that fixes a vulnerability in the Credential Security Support Provider Protocol (CredSSP). This vulnerability (CVE-2018–0886) allows an attacker to remotely execute arbitrary code on a vulnerable Windows host with an open RDP port (TCP/3389). In May 2018, an update “2018-05 Security only/Monthly Rollup” was released. It blocks the connection to computers with an affected version of CredSSP.
When you try to connect to a remote computer with a vulnerable CredSSP from Windows 10/Windows Server 2016, you receive the Remote Desktop Connection error:
An authentication error has occurred.
The function is not supported.
Remote Computer: hostname
This could be due to CredSSP encryption oracle remediation.For more information, see link.
On Windows 7, the CredSSP error looks like this:
An authentication error has occurred.
The function requested is not supported.
Remote computer: hostnname
To fix This could be due to credssp encryption oracle remediation error, you need to install the latest Windows security update on the remote computer. You can install the latest Cumulative Update for your Windows version. You can download the update manually via Microsoft Update Catalog or install it via Windows Update or WSUS.
Hint. CredSSP authentication error appears only when you try to connect via RDP from a computer on which the latest security updates are installed to a non-updated computer (for example, a computer that never gets updates, or a clean installed device with a Windows 10/Windows Server 2016 build that was released before March 2018).
Hint. There is a workaround allowing you to connect to a computer with a vulnerable version of CredSSP. To do this, you need to configure a special Group Policy parameter named Encryption Oracle Remediation on your computer from which you are establishing the Remote Desktop connection.
- Press Win+R, type gpedit.msc, and press Enter;
- Go to the following section of the Local Group Policy Editor: Computer Configuration > Administrative Templates > System > Credentials Delegation;
- Open the policy setting Encryption Oracle Remediation;
- Change its state to Enabled, and set Vulnerable in the Protection Level field;
- Update the Group Policy settings using:
gpupdate /forceHint. You can also allow your computer to connect to vulnerable versions of CredSSP through the registry. Run the following command through elevated command prompt:
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /f /v AllowEncryptionOracle /t REG_DWORD /d 2
Now you can connect to the remote host via RDP and install the updates. After upgrading, don’t forget to disable the policy or reset the AllowEncryptionOracle registry value to its original value:
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /f /v AllowEncryptionOracle /t REG_DWORD /d 0
There are 3 options in the “Encryption Oracle Remediation” policy:
- Vulnerable — the client can connect to vulnerable computers;
- Mitigated — the client cannot connect to vulnerable servers, but the servers can allow vulnerable clients to connect;
- Force Updated Clients — secure RDP CredSPP interoperability layer.
If from a computer that doesn’t have the CredSPP security update installed you can’t connect to an updated RDP/RDS host with the “Force updated clients” option enabled, you can allow the server to accept connections with an affected version of CredSPP. To do this, you need to enable the policy with the Mitigated value on the server. In this way, to make changes to the server you can remotely connect to it via PowerShell under admin credentials:
Enter-PSSession -ComputerName Enter-PSSession -ComputerName RDSServer01 -Credential RDSServer01\administrator
And allow the connection:
Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord
In all cases, Microsoft always recommends installing the latest Windows updates on both the RDP server and the client.
- Using Nslookup in Windows to List DNS Servers and Records - May 11, 2022
- Fix: Windows 10 Keyboard not Working - May 11, 2022
- How to Fix Gmail Not Updating on iPhone? - May 3, 2022
What complete bullshit. I reinstalled Windows 10 and searched for updates. Windows Update says my machine is up-to-date, version 1511, but RDP into it doesn’t work. There’s no option to install a newer version or any more updates. Tell us exactly what update to install and where to download it.
Windows 10 version 1511 went end-of-support in 2018. You should upgrade to build Windows 10 version 21H2, which is expected to be supported through at least 2023 (and Windows Update should prompt you to download & install the next “feature update” aka version when it’s time to do so). The Windows 10 Update Assistant should help you upgrade to 21H2 in the meantime, since your built-in Windows Update is no longer able to find any updates.
https://en.wikipedia.org/wiki/Windows_10_version_history#Channels
https://support.microsoft.com/en-us/topic/windows-10-update-assistant-3550dfb2-a015-7765-12ea-fba2ac36fb3f
Hope this helps!