In my line of work RDP is an essential tool. Take it away and you might as well have cut off one of my arms.
And so it was this morning where after my Windows 10 machine (running the latest 1803 build) applied updates overnight, all my attempts at RDP-ing to systems presented me with this:
An authentication error has occurred. The function requested is not supported Remote computer: blah.contoso.com This could be due to CredSSP encryption oracle remediation. For more information, see https://go.microsoft.com/fwlink/?linkid=866660
You can read more about it here:
https://support.microsoft.com/en-au/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018
I appreciate that this was a security patch, but I needed my access back pronto, so cobbled together this P$ snippet to do the job:
$Rootpath = 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\'
if (!(test-path -path $Rootpath)) { New-Item -Path $Rootpath | out-null }
if (!(test-path -path ($Rootpath + "\CredSSP"))) { New-Item -Path ($Rootpath + "\CredSSP") | out-null
}
$FinalPath = ($Rootpath + "\CredSSP\Parameters")
if (!(test-path -path $finalpath)) { New-Item -Path $finalpath | out-null }
if (get-itemproperty -path $finalpath -name "AllowEncryptionOracle" -ErrorAction SilentlyContinue)
{
#It exists. Make sure it's set to 2
Set-ItemProperty -Path $finalpath -name "AllowEncryptionOracle" -Value 2 | out-null
} else {
#Add it!
New-ItemProperty -Path $finalpath -name "AllowEncryptionOracle" -PropertyType Dword -Value 2 | out-null
}
I didn’t need to reboot for this to take effect.
– G.
Bloody Brilliant! Thanks Greig just used this!
Great script, worked a treat. Saved me time. Thanks
Great script. Another simple option would be to download the MS Remote Desktop Client from the Windows Store. It will allow you to have access to all servers while you work through the updates. Cheers.
here here!
+1 for this thread – it put my temple veins at rest, finally able to regain my RDP access.
and… +1 too for Andy’s comment – using the new MS app is a quick fix for us MS HOME users. Not sure about other editions of MS, I only use HOME.
Thanks again!!!
Can you please let me know where to add this snippet. Thank you
Hi Gayathri. You only need to paste the above in its entirety into an elevated PowerShell window. All it does is add the same registry key described in the linked support article from the section “Registry value”, then setting it to a 2, so you can do it that way if you’d be more comfortable.
– G.
Many thanks Greig – saved the day under slightly different circumstances.
Had both Clients and Servers fully patched to June 2018.
After a couple of weeks, found I could not RDP to all servers, only some.
Still checking root cause , but applying this script to a client machine solved the problem.
Ray
Bloody brilliant!!! Thank you so much.
Very much appreciated. Thanks.
THANK YOU!!!!
Had much the same problem at my place, recently where RDP just disappeared.
Gonna try the script today – let’s see what happens :-)
YOu saved my weekend.
Is there a PS script to revert it back after you’re done?
If you want to undo this, just re-run the same PS but with either a 0 or 1 as the “-Value”, depending on your preference. (The kb article describes the differences).
Just be careful as the “-Value” is used twice, depending on whether the key exists or not.
– G.
This can be added to the registry in one line with the following command:
reg add HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System /v AllowEncryptionOracle /t REG_DWORD /d 2