XXHighEnd

There is some CredSSP policy defaults change in May 8, 2018 Win10 update. This change may cause remote desktop login to fail. Of course only PCs that have been updated are affected.

Zheng

Yes, it caused my RDC to fail...had to change the policy back to "vulnerable" to keep it working.

Hi guys,

What do we exactly notice of this ? how do we solve it ?
Of course I'm asking on behalf of (near) future issues for others with this.

Thanks !
Peter

Type "Group Policy" into the W10 search box and open up "Edit Group Policy".

In the left pane "Computer Configuration" then "Administrative Templates" then "System" then "Credentials Delegation" then in the right pane double-click "Encryption Oracle Remediation" and a new window will open.  In the bottom left pane on this window set "Protection Level" to "Vulnerable" and then ok out of everything.

That should do it.

Great, Anthony. Thanks.
Can you please elaborate on how this issue expresses itself ?
It could even be more important to know the exhibit than knowing how to solve it. So ... at some stage (could be a year after today) people receive a W10 update and suddenly ... [...] ?

Thank you again !
Peter

It is a policy change with the May 8 windows update.  All they changed was the default setting to a more secure one for such connections.  It affects RDC by RDC simply not working in our case, a failure to authenticate...instead an error box comes up saying something about CredSSP and an "authentication error" or some such thing.  Change the policy back to "vulnerable" as I posted earlier and it will all work again.

OK, clear. Thank you, Anthony.

Regards,
Peter

Hi guys,

I don’t update the Win 10 on the Audio PC but I had the same problem with Windows 7 updating in my music server. I have been unable to connect the music server to Audio PC via RDP since yesterday.

I will try the solution mentioned by Anthony on my Win 7 music server. Hope it works?

Will post results.

Best regards,

Arvind

Hi Anthony,

Thank you very much, it worked on my music server. Got the RDP connection back on.

Best regards,

Arvind

Hi Peter,
It would be ideal to find a solution that does NOT require to change group policy to "vulnerable". I think it will require some work on the host PC (mostly audio PC with specific older Win10 builds) so that the client PC will not have to fall back to a more vintage and vulnerable state.

Best,
Zheng

Hi Zheng,

Somehow I read your post as a contradictio in terminis ?

Regards,
Peter

Good to hear Arvind. 

My MusicServer is connected to the internet but I use XXHE to make sure it does not update the OS so this May 8 update has not affected it.  When I am casual listening in my office I will RDC into the MusicServer from another (work) computer that does automatically update and thus was the one that was affected and the one that I had to reset the Group Policy. 

So if your MusicServer does not update (thanks to XXHE settings) then the only place a problem should occur is on the windows machine that is used to RDC to the MusicServer.

OK, so while the vulnerability exists for each OS, each OS also receives upgrades for it (I suppose not XP ;)). Good to know !
Man, 6 months back or so I had to install SP1 for a W7 machine (which controls the Audio PC over here) while for all this time I never ever applied any upgrade (KB) to it. I suppose I wouldn't know where to go without this information. OK, Google is your friend, but still.

Thank you for sharing this, Zheng.
Peter

This worked perfectly. Thanks Anthony.

Mani.

Hi, I need some help. I can't find "Encryption Oracle Remediation". Please take a look to the picture sorry for the quality but I took it with my phone because I don't want to connect the Audio Pc to Internet.

Juan

Juan, I think you change this setting in your music server PC, not your audio pc.

The image is from the Audio Pc, first I've try to do it in the Server Pc but the screen was the same

Juan

Are you sure its not there? I had to read the list 3 times before i finally saw it. You should post a picture from your music server pc if you still cannot find it.

Brian

Hi Brian, thanks for your help but no way to find "Encryption Oracle Remediation" in any of the computers. However I've found other solution that works perfectly: Allow Multiple Remote Desktop Sessions
Can find the way in this link:
https://m.youtube.com/watch?v=fi87Xe78YNY

Best regards
Juan

Hi Juan,

Please notice that the RDPW program (YouTube) you linked to is not about Multiple Remote Desktop Sessions however, it does that too. But we should not be confused by this.

Btw, when I read your post yesterday, it occurred to me that the Policy entry wouldn't be there for "Home" OSes. Can that be so ? If yes, this is exactly the reason why RDPW will help (it was made for that). But not sure, because it would be about the receiving PC (like the Audio PC).

Best regards,
Peter

Hi Peter, the video that I posted was not exactly the one I used because I used one that was in Spanish. The Winrar, however, it is the same and I used it only on the server computer. The Windows OS that I have in that Pc is the Pro version.

Best regards
Juan

Juan,

I didn't look at the Policy screen(s) myself, but I know there are two main parts in there. One for "system" or something and one for "users" (or something). Are you sure you investigated both parts ? (not that I saw ths advised to you, but that's why I do it now :)). Maybe I am not even right with it, but ... please investigate it.

Regards,
Peter

OK, I see that Anthony did point it out for sure. But the mistake on your side is made very easily because both main entries I refer to look mighty much similar.

Ok Peter thanks I'll take a look later because now hay have to go away home. Anyway the rar file works perfectly and I'm using it only in the server. Couldn't it be better than make the Audio Pc vulnerable? Maybe it is the same, I don't know much about it.

Best regards,
Juan

Juan, maybe the opposite;
If you engage that Multi User option (this is an option in there somewhere IIRC), then now people can log into your PC and you wouldn't even notice.
Quite smart eh, for vulnerability.
Ahum.

Peter

Peter at the moment that is the only solution I found since I couldn't find out where the registry entry was, I will look later if it is possible to solve it as you said

Kind regards
Juan

Juan,

Strange question : do you have the problem (can't make a connection any more) in the first place ?
I mean, I don't have that Group Policy setting either ... in 14393.0.


Now I don't know what you are referring to, but means applied via the Group Policy Editor usually (or most often) won't let apply themselves via Registry changes. Read : they are a combination of appliances (at the same time) with special rigths required. IOW, I don't recall many tweaks which usually require GPEdit that don't need special (API) functions and most often it is a lot of work to get them going.

N.b.: In a Home version we can't even perform GPEdit (it isn't there).

RDPW is such a (very smart) program and all it does it allow RDP where it normally is not allowed. It is in there but not allowed. We need to pay more first. ;)

Peter

FYI :

This problem extends way further than RDP only and it affects all kind of authentication (log in) issues. This is what I get from my ERP life (customers not being able to connect to databases etc.).
I think I wil have more info soon and also more "solution".

Peter

Well Juan, there is one after all.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters
"AllowEncryptionOracle"

The bold part may not be there yet, so create that yourself if necessary. The "AllowEncryptionOracle" is the Key to make. Give this the (DWord) value of 2.

Watch out : I noticed inconsistent behavior with a system which allows you to change the Group Policy Entry as denoted by Anthony (acg) while it does not work. So, when set to "Vulnerable", for systems where it does not help the Key receives a value of 0 (while 2 is the value which helps).
Notice : When you need to create/change this Registry Key in order to let RDP work again, *and* you first configured the "Oracle" Group Policy Value, it is best to set this Group Policy to "not configured" again, to avoid additional inconsistency; when you indeed had to apply the latter, be sure to again add the Registry Key because it will be gone now.

So the situation which seems to be consistent (for as long as it (Windows Updates) takes is :

1. Have the Group Policy "Oracle" value Not Configured.
2. Give mentioned Registry Key a value of 2.

This sustains after a reboot.

Best regards,
Peter

Still struggling with this problem, yesterday the rar file stopped working

Juan

Peter, couldn't it be a problem of Windows activation in the Audio PC?

Juan

Juan, interesting pose.
I have one W10 tablet somewhere and I suppose it is up to date with W10 updates. I can try it on my own, if it is your idea that could cause your problem. But it seems hard to believe because quite some more people would be bothered by it ?
If I don't forget it, I will try it later today (I am not there at this moment).

Best regards,
Peter

Juan, what does that mean "the rar file stopped working" ?

Peter

Peter, I was referring to the winrar that modifies the Windows desktop to make it accessible to multiple users. That was the vídeo I posted. As I said, at the end, it didn't work
The solution I found is to extend the life of the operating system for 6 more months, the maximum allowed. So far it is working fine.
I also did what you told me, I mean to change the value in the Registry from 0 to 2 creating the new entry because in my case it didn't t exist. Therefore I don't know if the solution is due to the two things together or only to the activation of the Audio PC OS for 6 more months. What I'm sure is that with only the change in the Registry it didn't work.

Regards

Juan

PS. I PM you the way I did it

Hmm ...

Still testing it, so far it works but not so sure that all is ok

Juan

After turning on and off the remote desktop several times to test it and restarting the Audio Pc a couple of times it works correctly without the Ramdisk inside. We'll see if it stays that way.

Juan

Hi Peter,
FYI.
Here is a site that is addressing the server/client patching so RDC can function under "Mitigated". The servers in question are for us mostly mean Audio PC as I understand.


Here is link to the site:
https://www.mcbsys.com/blog/2018/03/updating-the-credssp-group-policy/

No, it doesn't work fine. When I stop the music there is a disconnection of the remote desktop and I have to put again the ramdisk inside, restart the Audio Pc and then I can regain control of the remote desktop. So I hope someone can find a better solución.

Thanks Zheng, perhaps your proposal is a good one

Juan

Juan,

So you're saying that you can play several tracks on the audio PC, all this time the remote connection is fine (you can change volume and such) and only when you press Stop the connection is lost ?
(seems hard to imagine)

Regards,
Peter

I'm not sure Peter, sorry, actually I thought it happened when I pressed Stop but now it's playing well and nothing unusual happens. I even turned off the remote desktop and it worked again when I reconnect it. I will try to observe it to see when it loses the connection, if it loses it again. For now, everything works fine. Have you investigate to know if it has to do with Windows activation?

Regards,
Juan

Hi Peter, this is working fine for the second consecutive day. I think that the problem is solved and that everything works very well.

Best regards
Juan

Hi Juan,

But do you also know how the problem was solved ?

Which Build do you have anyway (Music Server PC) ?
The obtrusive one should be 17134.48 (or smaller).

Regards,
Peter

Hi Peter, I used KMSAuto Net in the Audio Pc

Best regards,
Juan

Hi Juan,

That's half of the answer to my questions.
And it is even hard to digest. :)

Best regards,
Peter

Hi Peter,

The Windows Build in my Music Server Pc is 10586.164

About KMSAuto Net
I can't t tell you much more. I followed the advice of a computer technician friend of mine who has solved the problem with the remote desktop prolonging the life of the Windows Build 180 days more. That's what KMS Net does. I hope that nothing has broken on the Audio PC.

Best regards,
Juan

That is what I wanted to know. Thank you Juan.

So these old(er) versions are updated just the same (but didn't I read that for e.g. Windows 7 these updates ("KB") were available as well ?).

Best regards,
Peter

Still no RDP possible....  :(

I have tried all suggestions... nothing works.

Not even the multiple user option (that works only when the AudioPC is in normal mode).

Even implemented a new PC to act as server in between my MainPC and the AudioPC. Newly installed Windows on it and the fartest I can get is to have access to the files on the AudioPC (cable connected to the ServerPC).

F*ck.

Bert,

In the end I think this is related to the SMB (Server Message Block) protocol. Today we have version I, II and I think also III. This relates to "communication" of both sides and they must talk the same language. Not that this will help you really, but it suggests that the solution can occur on both sides and also that the one needs upgrading or downgrading. So example, both will talk (all the way) when both talk SMBII but when A talks SMBIII and B SMBII, B could upgrade to III or A could downgrade to II.

This is all I know about it and I never have been involved in really solving something in this area (one (thus me) must first have the problem, in order to see through what needs to be done (and then still I don't pretend to be able to)).

Peter

So... best change would be to use the same vesrion of Windows for the music server?

Lost mine though... do you still have the 10.0.14393 RAM-OS as ISO-file somewhere on line?

Then at least I can use the ServerPC to RDP the AudioPC (if that then works).

Bert

Bert, yes I can find that for you.
Try to take care of the updates (via XXHighEnd's - Stop-Rightclick button), or otherwise it will end up the same.

Peter

Thanks! Hope it helps...


On the AudioPC this was done the moment XXHighend showed up on the screen...  but how to do this on the ServerPC? XXHighend should not be installed on there? Should it?

Bert

Theoretically not. Practically for many Yes, because of Tidal.
Or for the reason not to let upgrade the W10 OS. :)

Notice that these days this is harmless because of the UAC being allowed to stay Up. But don't go to MinOS of course and don't try to really utilize XXHighEnd for playback.

Anyway, cross fingers that it will help you ...
Peter

This works... the ServerPC is connected through RDP with the AudioPC.

Next step is to figure out how to play music from that server ...

... and optimally how to connect wirelessly through Wifi (and a tablet) to control the ServerPC in the end so that all is connected and optimally accesible.

Computers ...  :grazy:

Done, so far so good... now I can remove the videocard from the AudioPC and play music from the ServerPC.

Bert

Bert, just in time. A couple of days more and we would have blamed it on your age ... :old:
I know ...

All is up and running now...

Updated the server as well!

But this did the trick, I can access the server from any PC now where this registry entry was applied.

• Open a Command Prompt window as Administrator.
  
  
• Run the following command to add a registry value:
  
  REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
  

Bert

PS, now with extra ServerPC in the chain I might as well start with Tidal!

:)