Bypass CredSSP to regain RDP access

In my line of work RDP is an essential tool. Take it away and you might as well have cut off one of my arms.

And so it was this morning where after my Windows 10 machine (running the latest 1803 build) applied updates overnight, all my attempts at RDP-ing to systems presented me with this:

RDP-Blocked

An authentication error has occurred.
The function requested is not supported
Remote computer: blah.contoso.com
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

You can read more about it here:

https://support.microsoft.com/en-au/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018

I appreciate that this was a security patch, but I needed my access back pronto, so cobbled together this P$ snippet to do the job:

$Rootpath = 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\'
if (!(test-path -path $Rootpath)) { New-Item -Path $Rootpath | out-null }
if (!(test-path -path ($Rootpath + "\CredSSP"))) { New-Item -Path ($Rootpath + "\CredSSP") | out-null
}
$FinalPath = ($Rootpath + "\CredSSP\Parameters")
if (!(test-path -path $finalpath)) { New-Item -Path $finalpath | out-null }
if (get-itemproperty -path $finalpath -name "AllowEncryptionOracle" -ErrorAction SilentlyContinue)
{
#It exists. Make sure it's set to 2
Set-ItemProperty -Path $finalpath -name "AllowEncryptionOracle" -Value 2 | out-null
} else {
#Add it!
New-ItemProperty -Path $finalpath -name "AllowEncryptionOracle" -PropertyType Dword -Value 2 | out-null
}

I didn’t need to reboot for this to take effect.

– G.

15 Comments

  1. Great script. Another simple option would be to download the MS Remote Desktop Client from the Windows Store. It will allow you to have access to all servers while you work through the updates. Cheers.

  2. here here!

    +1 for this thread – it put my temple veins at rest, finally able to regain my RDP access.

    and… +1 too for Andy’s comment – using the new MS app is a quick fix for us MS HOME users. Not sure about other editions of MS, I only use HOME.

    Thanks again!!!

  3. Hi Gayathri. You only need to paste the above in its entirety into an elevated PowerShell window. All it does is add the same registry key described in the linked support article from the section “Registry value”, then setting it to a 2, so you can do it that way if you’d be more comfortable.

    – G.

  4. Many thanks Greig – saved the day under slightly different circumstances.
    Had both Clients and Servers fully patched to June 2018.
    After a couple of weeks, found I could not RDP to all servers, only some.
    Still checking root cause , but applying this script to a client machine solved the problem.
    Ray

    • If you want to undo this, just re-run the same PS but with either a 0 or 1 as the “-Value”, depending on your preference. (The kb article describes the differences).

      Just be careful as the “-Value” is used twice, depending on whether the key exists or not.

      – G.

  5. This can be added to the registry in one line with the following command:

    reg add HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System /v AllowEncryptionOracle /t REG_DWORD /d 2

Leave a Reply

Your email address will not be published. Required fields are marked *

... and please just confirm for me that you're not a bot first: Time limit is exhausted. Please reload the CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.