“CredSSP encryption oracle remediation” error when RDP to a Windows VM in Azure


Recently, we have been seeing this error message "CredSSP encryption oracle remediation" error when RDP to a Windows VM in Azure quite frequently which does not allow you to RDP/Login into your Azure VM. Full documentation and root cause analysis of the issue is mentioned in this article released by Microsoft Support

Do not worry if you run into this issue as resolving this on your Azure VM is pretty simple and can be done very easily from your azure portal. Steps to resolve this are:

  1. Login into https://portal.azure.com
  2. Navigate to the Azure Virtual Machine tab and go to the VM that is giving this error
  3. Now under operations, select the Run Command option which will give you the option to run a PowerShell script
  4. In the PowerShell script section, type in the below two lines and click on run
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2

Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord

 

Now on your own machine (client machine), follow the below steps:

  1. On the client that has the CredSSP update installed, run gpedit.msc, and then browse to Computer Configuration > Administrative Templates > System > Credentials Delegation in the navigation pane.
  2. Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.

If needed, please restart the server and now when you try to RDP into your Azure VM you will be able to login and complete the connection. Please note that it is highly recommended to patch your VMs and follow the latest guidelines that are mentioned in the Microsoft Support Article.

-Cheers

Comments (4)

  1. Hello. Same issue for Azure Stack VM’s. What is the recommended fix for VM’s executing on Azure Stack?

    1. Rohit Minni says:

      This might work or might not but its worth a shot – https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-ios
      Download the mobile client for RDP and install the patches/updates from your mobile device. Once done you should be able to login into your VM from your machine. A part of the problem why you arent able to connect is because your local client is not set to make connections to the remote machine, hence doing this from your phone might solve this.

  2. IggyHack says:

    Just had this issue trying to remote into my WSUS server after upgrading to Windows 10 Pro 1803 (along with other issues 🙁 )

    1. IggyHack says:

      Resolved it with no issues!

Skip to main content