Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
- Article
- 08/25/2023
In this article
This article provides a solution to an issue in which you are not able to connect to a virtual machine [VM] using RDP with error: CredSSP encryption oracle remediation.
Original product version: Virtual Machine running Windows Original KB number: 4295591
Note
Was this article helpful? Your input is important to us. Please use the Feedback button on this page to let us know how well this article worked for you or how we can improve it.
Symptoms
Consider the following scenario:
- The Credential Security Support Provider protocol [CredSSP] updates for CVE-2018-0886 are applied to a Windows VM [remote server] in Microsoft Azure or on a local client.
- You try to make a remote desktop [RDP] connection to the server from the local client.
In this scenario, you receive the following error message:
An authentication error has occurred. The function requested is not supported. Remote computer: . This could be due to CredSSP encryption oracle remediation. For more information, see //go.microsoft.com/fwlink/?linkid=866660.
How to verify that the CredSSP update is installed
Check the update history for the following updates, or check the version of TSpkg.dll that is located at %systemroot%\system32.
Operating system TSpkg.dll version with CredSSP update CredSSP update Windows 7 Service Pack 1 / Windows Server 2008 R2 Service Pack 1 6.1.7601.24117 KB4103718 [Monthly Rollup] KB4103712 [Security-only update] Windows Server 2012 6.2.9200.22432 KB4103730 [Monthly Rollup] KB4103726 [Security-only update] Windows 8.1 / Windows Server 2012 R2 6.3.9600.18999 KB4103725 [Monthly Rollup] KB4103715 [Security-only update] RS1 - Windows 10 Version 1607 / Windows Server 2016 10.0.14393.2248 KB4103723 RS2 - Windows 10 Version 1703 10.0.15063.1088 KB4103731 RS3 - Windows 10 1709 10.0.16299.431 KB4103727
Cause
This error occurs if you are trying to establish an insecure RDP connection, and the insecure RDP connection is blocked by an Encryption Oracle Remediation policy setting on the server or client. This setting defines how to build an RDP session by using CredSSP, and whether an insecure RDP is allowed.
The following table summarizes the behavior of RDP connection based on the CredSSP update status and CredSSP policy setting [AllowEncryptionOracle value]:
Server CredSSP update status Client CredSSP update status Force updated clients [0] Mitigated [1] Vulnerable [2] Installed No Block Allow 1 Allow No Installed Block 2 Block Allow Installed Installed Allow Allow Allow
Examples
1 The server has the CredSSP update installed, and Encryption Oracle Remediation is set to Mitigated on the server side. The server will accpect the RDP connection from clients that do not have the CredSSP update installed.
2 The client has the CredSSP update installed, and Encryption Oracle Remediation is set to Force updated clients or Mitigated on the client side. This client will cannot connect to a server that does not have the CredSSP update installed.
Resolution
To resolve the issue, install CredSSP updates for both client and server so that RDP can be established in a secure manner. For more information, see CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability.
How to install this update by using Azure Serial console
- Sign in to the Azure portal, select Virtual Machine, and then select the VM.
- Scroll down to the Help section, and then click Serial console. The serial console requires Special Administrative Console [SAC] to be enabled within the Windows VM. If you do not see SAC> in the console [as shown in the following screenshot], go to the "" section in this article.
- Type
cmdto start a channel that has a CMD instance. - Type
ch -si 1to switch to the channel that is running the CMD instance. You receive the following output: - Press Enter, and then enter your login credentials that have administrative permission.
- After you enter valid credentials, the CMD instance opens, and you will see the command at which you can start troubleshooting.
- To start a PowerShell instance, type
PowerShell. - In the PowerShell instance, based on the VM operating system. This script performs the following steps:
- Create a folder in which to save the download file.
- Download the update.
- Install the update.
- Add the vulnerability key to allow non-updated clients to connect to the VM.
- Restart the VM
How to install this update by using Remote PowerShell
- On any Windows-based computer that has PowerShell installed, add the IP address of the VM to the "trusted" list in the host file, as follows:
Set-item wsman:\localhost\Client\TrustedHosts -value
- In the Azure portal, configure Network Security Groups on the VM to allow traffic to port 5986.
- In the Azure portal, select Virtual Machine > < your VM >, scroll down to the OPERATIONS section, click the Run command, and then run EnableRemotePS.
- On the Windows-based computer, for the appropriate system version of your VM. This script performs the following steps:
- Connect to Remote PowerShell on the VM.
- Create a folder to which to save the download file.
- Download the Credssp update.
- Install the update.
- Set the vulnerability registry key to allow non-updated clients to connect to the VM.
- Enable Serial Console for future and easier mitigation.
- Restart the VM.
Workaround
Warning
After you change the following setting, an unsecure connection is allowed that will expose the remote server to attacks. Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.
Scenario 1: Updated clients cannot communicate with non-updated servers
The most common scenario is that the client has the CredSSP update installed, and the Encryption Oracle Remediation policy setting doesn't allow an insecure RDP connection to a server that does not have the CredSSP update installed.
To work around this issue, follow these steps:
- On the client that has the CredSSP update installed, run gpedit.msc, and then browse to Computer Configuration > Administrative Templates > System > Credentials Delegation in the navigation pane.
- Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.
If you cannot use gpedit.msc, you can make the same change by using the registry, as follows:
- Open a Command Prompt window as Administrator.
- Run the following command to add a registry value:
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
Scenario 2: Non-updated clients cannot communicate with patched servers
If the Azure Windows VM has this update installed, and it is restricted to receiving non-updated clients, follow these steps to change the Encryption Oracle Remediation policy setting:
- On any Windows computer that has PowerShell installed, add the IP of the VM to the "trusted" list in the host file:
Set-item wsman:\localhost\Client\TrustedHosts -value
- Go to the Azure portal, locate the VM, and then update the Network Security group to allow PowerShell ports 5985 and 5986.
- On the Windows computer, connect to the VM by using PowerShell:
For
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "" -port "5985" -Credential [Get-Credential] -SessionOption $Skip
For
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "" -port "5986" -Credential [Get-Credential] -useSSL -SessionOption $Skip
- Run the following command to change the Encryption Oracle Remediation policy setting by using the registry:
Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord
Azure Serial Console scripts
OS Version Script Windows 7 Service Pack 1 / Windows Server 2008 R2 Service Pack 1
Create a download location
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
0
Download the KB file
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
1
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
2
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
3
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
4
Install the KB
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
5
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
6
Add the vulnerability key to allow unpatched clients
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
7
Restart the VM to complete the installations/settings
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
8
Windows Server 2012
Create a download location
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
0
Download the KB file
Set-item wsman:\localhost\Client\TrustedHosts -value
0
Set-item wsman:\localhost\Client\TrustedHosts -value
1
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
3
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
4
Install the KB
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
5
Set-item wsman:\localhost\Client\TrustedHosts -value
5
Add the vulnerability key to allow unpatched clients
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
7
Restart the VM to complete the installations/settings
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
8
Windows 8.1 / Windows Server 2012 R2
Create a download location
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
0
Download the KB file
Set-item wsman:\localhost\Client\TrustedHosts -value
9
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "" -port "5985" -Credential [Get-Credential] -SessionOption $Skip
0
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
3
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
4
Install the KB
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
5
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "" -port "5985" -Credential [Get-Credential] -SessionOption $Skip
4
Add the vulnerability key to allow unpatched clients
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
7
Restart the VM to complete the installations/settings
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
8
RS1 - Windows 10 version 1607 / Windows Server 2016
Create a download location
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
0
Download the KB file
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "" -port "5985" -Credential [Get-Credential] -SessionOption $Skip
8
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "" -port "5985" -Credential [Get-Credential] -SessionOption $Skip
9
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
3
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
4
Install the KB
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
5
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "" -port "5986" -Credential [Get-Credential] -useSSL -SessionOption $Skip
3
Add the vulnerability key to allow unpatched clients
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
7
Restart the VM to complete the installations/settings
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
8
RS2 - Windows 10 version 1703
Create a download location
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
0
Download the KB file
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "" -port "5986" -Credential [Get-Credential] -useSSL -SessionOption $Skip
7
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "" -port "5986" -Credential [Get-Credential] -useSSL -SessionOption $Skip
8
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
3
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
4
Install the KB
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
5
Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord
2
Add the vulnerability key to allow unpatched clients
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
7
Restart the VM to complete the installations/settings
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
8
RS3 - Windows 10 version 1709 / Windows Server 2016 version 1709
Create a download location
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
0
Download the KB file
Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord
6
Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord
7
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
3
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
4
Install the KB
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
5 `%systemroot%\system32`1
Add the vulnerability key to allow unpatched clients
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
7
Restart the VM to complete the installations/settings
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
8
RS4 - Windows 10 1803 / Windows Server 2016 version 1803
Create a download location
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
0
Download the KB file
%systemroot%\system32`5
%systemroot%\system32`6
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
3
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
4
Install the KB
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
5 `cmd`0
Add the vulnerability key to allow unpatched clients
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
7
Restart the VM to complete the installations/settings
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
8
Remote PowerShell scripts
OS Version Script Windows 7 Service Pack 1 / Windows Server 2008 R2 Service Pack 1
Set up your variables:
`cmd`3 `cmd`4 `cmd`5
change this variable if you customize HTTPS on PowerShell to another port
#Log in to your subscription `cmd`6 `cmd`7 `cmd`8
Connect to Remote PowerShell
`cmd`9 `ch -si 1`0
Create a download location
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
0
Download the KB file
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
1
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
2
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
3
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
4
Install the KB
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
5
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
6
Add the vulnerability key to allow unpatched clients
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
7
Set up Azure Serial Console flags
cmd
`PowerShell`0
`PowerShell`1
`PowerShell`2
`PowerShell`3
`PowerShell`4
Restart the VM to complete the installations/settings
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
8
Windows Server 2012
Set up your variables:
`cmd`3 `cmd`4 `cmd`5
change this variable if you customize HTTPS on PowerShell to another port
#Log in to your subscription `cmd`6 `cmd`7 `cmd`8
Connect to Remote PowerShell
`cmd`9 `ch -si 1`0
Create a download location
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
0
Download the KB file
Set-item wsman:\localhost\Client\TrustedHosts -value
0
Set-item wsman:\localhost\Client\TrustedHosts -value
1
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
3
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
4
Install the KB
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
5
Set-item wsman:\localhost\Client\TrustedHosts -value
5
Add the vulnerability key to allow unpatched clients
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
7
Set up Azure Serial Console flags
cmd
`PowerShell`0
`PowerShell`1
`PowerShell`2
`PowerShell`3
`PowerShell`4
Restart the VM to complete the installations/settings
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
8
Windows 8.1 / Windows Server 2012 R2
Set up your variables:
`cmd`3 `cmd`4 `cmd`5
change this variable if you customize HTTPS on PowerShell to another port
#Log in to your subscription `cmd`6 `cmd`7 `cmd`8
Connect to Remote PowerShell
`cmd`9 `ch -si 1`0
Create a download location
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
0
Download the KB file
Set-item wsman:\localhost\Client\TrustedHosts -value
9
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "" -port "5985" -Credential [Get-Credential] -SessionOption $Skip
0
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
3
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
4
Install the KB
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
5
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "" -port "5985" -Credential [Get-Credential] -SessionOption $Skip
4
Add the vulnerability key to allow unpatched clients
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
7
Set up Azure Serial Console flags
cmd
`PowerShell`0
`PowerShell`1
`PowerShell`2
`PowerShell`3
`PowerShell`4
Restart the VM to complete the installations/settings
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
8
RS1 - Windows 10 version 1607 / Windows Server 2016
Set up your variables:
`cmd`3 `cmd`4 `cmd`5
change this variable if you customize HTTPS on PowerShell to another port
#Log in to your subscription `cmd`6 `cmd`7 `cmd`8
Connect to Remote PowerShell
`cmd`9 `ch -si 1`0
Create a download location
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
0
Download the KB file
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "" -port "5985" -Credential [Get-Credential] -SessionOption $Skip
8
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "" -port "5985" -Credential [Get-Credential] -SessionOption $Skip
9
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
3
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
4
Install the KB
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
5
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "" -port "5986" -Credential [Get-Credential] -useSSL -SessionOption $Skip
3
Add the vulnerability key to allow unpatched clients
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
7
Set up Azure Serial Console flags
cmd
`PowerShell`0
`PowerShell`1
`PowerShell`2
`PowerShell`3
`PowerShell`4
Restart the VM to complete the installations/settings
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
8
RS2 - Windows 10 version 1703
Set up your variables:
`cmd`3 `cmd`4 `cmd`5
change this variable if you customize HTTPS on PowerShell to another port
#Log in to your subscription `cmd`6 `cmd`7 `cmd`8
Connect to Remote PowerShell
`cmd`9 `ch -si 1`0
Create a download location
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
0
Download the KB file
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "" -port "5986" -Credential [Get-Credential] -useSSL -SessionOption $Skip
7
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "" -port "5986" -Credential [Get-Credential] -useSSL -SessionOption $Skip
8
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
3
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
4
Install the KB
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
5
Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord
2
Add the vulnerability key to allow unpatched clients
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
7
Set up Azure Serial Console flags
cmd
`PowerShell`0
`PowerShell`1
`PowerShell`2
`PowerShell`3
`PowerShell`4
Restart the VM to complete the installations/settings
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
8
RS3 - Windows 10 version 1709 / Windows Server 2016 version 1709
Set up your variables:
`cmd`3 `cmd`4 `cmd`5
change this variable if you customize HTTPS on PowerShell to another port
#Log in to your subscription `cmd`6 `cmd`7 `cmd`8
Connect to Remote PowerShell
`cmd`9 `ch -si 1`0
Create a download location
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
0
Download the KB file
Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord
6
Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord
7
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
3
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
4
Install the KB
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
5 `%systemroot%\system32`1
Add the vulnerability key to allow unpatched clients
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
7
Set up Azure Serial Console flags
cmd
`PowerShell`0
`PowerShell`1
`PowerShell`2
`PowerShell`3
`PowerShell`4
Restart the VM to complete the installations/settings
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
8
RS4 - Windows 10 1803 / Windows Server 2016 version 1803
Set up your variables:
`cmd`3 `cmd`4 `cmd`5
change this variable if you customize HTTPS on PowerShell to another port
#Log in to your subscription `cmd`6 `cmd`7 `cmd`8
Connect to Remote PowerShell
`cmd`9 `ch -si 1`0
Create a download location
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
0
Download the KB file
%systemroot%\system32`5
%systemroot%\system32`6
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
3
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
4
Install the KB
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
5 `cmd`0
Add the vulnerability key to allow unpatched clients
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
7
Set up Azure Serial Console flags
cmd
`PowerShell`0
`PowerShell`1
`PowerShell`2
`PowerShell`3
`PowerShell`4
Restart the VM to complete the installations/settings
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
8
If you have questions or need help, , or ask Azure community support. You can also submit product feedback to Azure feedback community.