PowerShell: Resolve “CredSSP encryption oracle remediation” Error on Windows 2016

Error message:

An authentication error has occurred. The function requested is not supported. Remote computer: <computer name or IP>. This could be due to CredSSP encryption oracle remediation. For more information, see https://go.microsoft.com/fwlink/?linkid=866660.

Resolution via PowerShell:

Source: https://support.microsoft.com/en-us/help/4295591/credssp-encryption-oracle-remediation-error-when-to-rdp-to-azure-vm

1. Connect to remote server via PowerShell:
# Set servername
$SHERVERNAME = "SHERVER007"
$SHERVERIP='256.256.256.256'

# Optional, depending on whether EnterPSRemote has been enabled
# Create a trust from Client to Server
Set-item wsman:\localhost\Client\TrustedHosts -value $SHERVERIP

# Check to ensure that port 5986 is operational
Test-NetConnection $SHERVERNAME -port 5986

# Connect to remote server's WinRM instance
Enter-PSSession -ComputerName $SHERVERNAME -Credential (Get-Credential) -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck)
2. Script to Fix Cred SSP Issues:
<#
# CredSSP allows delegation of authentication. By default, that is disabled

# Check CredSSP
(Get-Item WSMan:\localhost\Client\Auth\CredSSP).value

# Enable CredSSP on client
(Get-Item WSMan:\localhost\Client\Auth\CredSSP).value -eq $false
#>

function detectWindowsVersion{
# Display Windows Version Name
# $versionDigits=[Environment]::OSVersion.Version
# (Get-WmiObject -class Win32_OperatingSystem).Caption
# (Get-WmiObject -class Win32_OperatingSystem).Caption
$windowsOS=Get-WmiObject -class Win32_OperatingSystem
$windowsName=$windowsOS.Caption
$windowsServicePack=$windowsOS.ServicePackMajorVersion
$releaseID=(Get-ItemProperty "REGISTRY::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion").ReleaseID;

switch -wildcard ($windowsName){
"Microsoft Windows XP*"{
"Windows XP is way out of date. Turn it off asap."
}
"Microsoft Windows 7*"{
"$windowsName has been detected...";
if ($windowsServicePack -eq 1){
# Windows 7 Service Pack 1 / Windows Server 2008 R2 Service Pack 1
$GLOBAL:source = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows6.1-kb4103718-x64_c051268978faef39e21863a95ea2452ecbc0936d.msu"
$GLOBAL:kb="KB4103718"
}else{
"Windows 7 is no longer being supported by Michael Shop..."
}
break;
}
"Microsoft Windows Server 2008*"{
"$windowsName has been detected...";
if ($windowsName -like "Microsoft Windows Server 2008 R2*"){
# Windows 7 Service Pack 1 / Windows Server 2008 R2 Service Pack 1
$GLOBAL:source = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows6.1-kb4103718-x64_c051268978faef39e21863a95ea2452ecbc0936d.msu"
$GLOBAL:kb="KB4103718"
}else{
"Windows 2008 is no longer being supported by Michael Shop..."
}
break;
}
"Microsoft Windows Server 2012*"{
if ($windowsName -like "Microsoft Windows Server 2012 R2*"){
"Microsoft Windows Server 2012 R2 has been detected...";
# Windows 8.1 / Windows Server 2012 R2
$GLOBAL:source = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows8.1-kb4103725-x64_cdf9b5a3be2fd4fc69bc23a617402e69004737d9.msu"
$GLOBAL:kb="KB4103725"
}else{
"Microsoft Windows Server 2012 has been detected...";
# Windows Server 2012 Default
$GLOBAL:source = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/04/windows8-rt-kb4103730-x64_1f4ed396b8c411df9df1e6755da273525632e210.msu"
$GLOBAL:kb="KB4103730"
}
break;
}
"Microsoft Windows Server 2016*"{
"$windowsName release ID $releaseID has been detected...";
switch ($releaseID){
1607{
# RS1 - Windows 10 version 1607 / Windows Server 2016
$GLOBAL:source = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows10.0-kb4103723-x64_2adf2ea2d09b3052d241c40ba55e89741121e07e.msu"
$GLOBAL:kb="kb4103723"
}
1709{
# RS3 - Windows 10 version 1709 / Windows Server 2016 version 1709
$GLOBAL:source = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103727-x64_c217e7d5e2efdf9ff8446871e509e96fdbb8cb99.msu"
$GLOBAL:kb="KB4103727"
}
1803{
# RS4 - Windows 10 1803 / Windows Server 2016 version 1803
$GLOBAL:source = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103721-x64_fcc746cd817e212ad32a5606b3db5a3333e030f8.msu"
$GLOBAL:kb="KB4103721"
}
}
break;
}
"Microsoft Windows 10*"{
"$windowsName release ID $releaseID has been detected...";
switch ($releaseID){
1607{
# RS1 - Windows 10 version 1607
$GLOBAL:source = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows10.0-kb4103723-x64_2adf2ea2d09b3052d241c40ba55e89741121e07e.msu"
$GLOBAL:kb="KB4103723"
}
1703{
# RS2 - Windows 10 version 1703
$GLOBAL:source = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103731-x64_209b6a1aa4080f1da0773d8515ff63b8eca55159.msu"
$GLOBAL:kb="KB4103731"
}
1709{
# RS3 - Windows 10 version 1709 / Windows Server 2016 version 1709
$GLOBAL:source = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103727-x64_c217e7d5e2efdf9ff8446871e509e96fdbb8cb99.msu"
$GLOBAL:kb="KB4103727"
}
1803{
# RS4 - Windows 10 1803 / Windows Server 2016 version 1803
$GLOBAL:source = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103721-x64_fcc746cd817e212ad32a5606b3db5a3333e030f8.msu"
$GLOBAL:kb="KB4103721"
}
}
break;
}
}
}

function applyCredSspPatch{
# Create temp folder to hold the downloads
New-Item -ItemType Directory -Force -Path C:\Temp | Out-Null

# Download the KB
$credSspPatch="C:\Temp\credSspPatch.cab";
$credSspDownload = (New-Object System.Net.WebClient).DownloadFile($source,$credSspPatch)

# Install the patch
$log="C:\Temp\kbLog.txt"
$extractFolder="C:\temp\credSspPatch\"
New-Item -ItemType Directory -Force -Path $extractFolder | Out-Null
expand -F:* $credSspPatch $extractFolder
$cabFileName=Get-ChildItem -Path $extractFolder -Recurse | % {if($_.Name -like "*.cab" -and $_.Name.Length -gt 12){$_.Name}}
"Patching is in progress. Please wait for a the next message to show completion. This may take a while..."
DISM /ONLINE /add-package /packagepath:"$extractFolder$cabFileName" /quiet /norestart /logpath:"$log"
# Start-Process -FilePath "C:\Windows\System32\wusa.exe" -ArgumentList "$credSspPatch /quiet" -Wait # DISM works better!

# Check registry to verify whether the correct CredSSP is present
$allowEncryptionOracle=(Get-ItemProperty "REGISTRY::HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters").AllowEncryptionOracle

if (!($allowEncryptionOracle)){
# Add the vulnerability key to allow unpatched clients
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2
}
if ($allowEncryptionOracle -ne 2){
# If the registry key already exist, set its value to 2
Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord
}
showPatch;
}

function showPatch{
# Check for the recently applied update (first item on list)
# gwmi win32_quickfixengineering | sort installedon -desc | Select-Object -First 1
# dism /online /get-packages | findstr KB4103730
$kbInstalled=$kb -in (gwmi win32_quickfixengineering).HotFixID
if ($kbInstalled){
"$kb has been installed on this system to remediate CredSSP.`n";
"When ready, run this command 'Restart-Computer -force' to reboot and apply changes.`n";
"Please be advised that production servers should only be restarted gracefully to avoid problems.";
}
else{"$kb has NOT been installed on this system."}
}

detectWindowsVersion;
applyCredSspPatch

Leave a Reply

Your email address will not be published. Required fields are marked *