Fixing “CredSSP Encryption Oracle Remediation” Error in Windows 10 RDP Connections


2 views

After Microsoft's May 2018 security updates, many administrators encountered a frustrating issue when attempting RDP connections to Windows 10 Pro workstations. The error message appears after successful credential entry:

"An authentication error occurred. The function requested is not supported. This could be due to CredSSP encryption oracle remediation"

This error stems from Microsoft's patch for CVE-2018-0886, which addressed a CredSSP protocol vulnerability. The security update modifies how Credential Security Support Provider (CredSSP) handles encryption, causing compatibility issues between patched and unpatched systems.

Before applying fixes, confirm these conditions:

  • Error occurs only on patched systems (KB4093120 or later)
  • Credentials are definitely correct
  • Directory services are operational
  • Unpatched systems connect without issues

The quickest solution is modifying the CredSSP policy via registry. Create a .reg file with this content:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]
"AllowEncryptionOracle"=dword:00000002

Or apply it programmatically with PowerShell:

$regPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters"
if (!(Test-Path $regPath)) {
    New-Item -Path $regPath -Force | Out-Null
}
Set-ItemProperty -Path $regPath -Name "AllowEncryptionOracle" -Value 2 -Type DWord

For enterprise environments, configure via GPO:

  1. Open Group Policy Management Console
  2. Navigate to: Computer Configuration > Administrative Templates > System > Credentials Delegation
  3. Enable "Encryption Oracle Remediation"
  4. Set protection level to "Vulnerable" (temporary) or "Mitigated" (recommended)

The proper resolution involves ensuring all systems in your environment have the May 2018 updates or later. This creates a consistent security baseline where all systems use the patched CredSSP implementation.

Use this PowerShell command to verify CredSSP-related updates:

Get-HotFix | Where-Object {$_.InstalledOn -ge [datetime]"05/01/2018"} | 
Sort-Object InstalledOn -Descending | 
Select-Object HotFixID,Description,InstalledOn

For Azure VMs or other cloud instances, Microsoft automatically applies these security updates. If you encounter the error:

  • Verify VM update status
  • Check network security group rules
  • Consider using Azure Bastion as an alternative

When troubleshooting, enable detailed logging:

wevtutil set-log Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational /e:true
wevtutil set-log Microsoft-Windows-TerminalServices-LocalSessionManager/Operational /e:true

Then reproduce the issue and check Event Viewer under Applications and Services Logs > Microsoft > Windows > TerminalServices-*

html

After Microsoft's May 2018 security updates (particularly KB4103727), many administrators encountered a specific RDP authentication failure when connecting to Windows 10 Pro workstations. The error manifests after successful credential entry but before session establishment:

Event ID: 0
An authentication error occurred. The function requested is not supported.
This could be due to CredSSP encryption oracle remediation

Microsoft patched CVE-2018-0886 (CredSSP remote code execution vulnerability) by modifying Credential Security Support Provider protocol behavior. The update introduced strict encryption requirements:

  • Server-side: Must support the latest encryption standards
  • Client-side: Must either match or exceed server encryption level
  • Legacy systems: No longer accept weak cipher suites

Check affected components with these PowerShell commands:

# Check OS version
[System.Environment]::OSVersion.Version

# Verify installed updates
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10

# Check RDP protocol version
(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp")."SecurityLayer"

Option 1: Group Policy Configuration

For domain environments, deploy these settings via GPO:

Computer Configuration > Administrative Templates > System > Credentials Delegation
Set "Encryption Oracle Remediation" to "Enabled" and "Protection Level" to "Vulnerable"

Option 2: Manual Registry Edit

For standalone machines, modify this registry key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]
"AllowEncryptionOracle"=dword:00000002

For Azure VMs, implement these changes through Desired State Configuration:

Configuration CredSSPFix
{
    Node "localhost"
    {
        Registry CredSSPUpdate
        {
            Ensure = "Present"
            Key = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters"
            ValueName = "AllowEncryptionOracle"
            ValueData = "2"
            ValueType = "Dword"
        }
    }
}

After implementing changes, test the RDP connection while monitoring Event Viewer logs:

# Filter relevant security events
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | 
Where-Object {$_.Id -eq 1149} | 
Select-Object -First 5

For environments requiring backward compatibility:

  1. Deploy Windows Server 2016 as RDP gateway
  2. Configure NLA (Network Level Authentication)
  3. Implement certificate-based authentication