Академический Документы
Профессиональный Документы
Культура Документы
It changed the default setting from Vulnerable to Mitigated which means that any PC using CredSSP is not be
able to use insecure versions. If your PC received the May update but the target PC hasn’t implemented the
CredSSP update, the PC receives the error message when it tries to connect to that PC.
The automatic Windows patch to raise the security level is not implemented if the PC doesn’t allow automatic
updates. This mismatch between the implementation of a security requirement (which is not optional) without
the corresponding automatic update may be the source of this problem.
However, there are many situations such as development, testing, build, staging, and deployment
environments which require a stable environment that would be destroyed by automatic Windows updates.
Symptoms
The symptoms are rather strange because we found that some machines successfully connected while others
didn’t.
For instance, we had a Windows 7 machine that hosted Remote Desktop. A Windows 7 PC had no problem
connecting to it, but the same user connecting from a Windows 10 machine failed when that was never an
issue before and the host machine allowed remote connection for years.
There are also reports of problems with Windows 10 machines connecting to Windows 10 machines, and
people locked out of their Azure VMs.
Workaround Solution
One could rollback the security update, but rather than risking other security problems, there’s a quick fix.
Simply adjust the Remote Desktop settings on the host machine to a lower security level. From File Explorer,
choose Computer, right-click and select Properties, then click Change Settings, and go to the Remote tab.
From Windows 10, uncheck the option to “Allow connections only from computers running Remote Desktop
with Network Level Authentication (recommended)”:
From Windows 7, it’s setting the option to the Less Secure option rather than More Secure:
Once these are set, users can remote to the machine again.
MICROS OF T COMMEN T
“I double checked the Windows bug database and they are aware of the problem. No ETA on a fix yet
unfortunately. Your workaround is what’s suggested to temporarily get around the error, although it is not
suggested as a long-term fix.”
Alternative Solutions
This section was added after our initial workaround and is based on the experience of many users struggling
with this problem.
The problem is often caused because the local machine is patched with the Windows Update and the machine
it’s connecting to is not patched for the CredSSP issue. If both systems were patched then this error would not
occur.
Update the target machine with the patch for the CredSSP issue (preferable).
In many cases, you don’t have the option to modify anything on the target machine. You may even be
prevented from modifying your own machine, but assuming you have administrator rights, you can change the
Group Policy on your local machine to use the Vulnerable setting.
Big picture, it’s ridiculous to lower one’s security settings to connect to a machine that wasn’t updated. It would
be much better if it prompted or automatically connected to lower level machines without turning off the higher
security level for everything else. All it takes is one target machine that you can’t modify to force this change on
your machine. But at least you can get your work done.
1. Enter run “gpedit.msc” to edit group policy, or from Windows start, enter “Group Policy” and select “Edit
group Policy”:
A. Windows 10
B. Windows 7
2. From the treeview, choose Computer Configuration -> Administrative Templates -> System ->
Credentials Delegation
3. Select “Encryption Oracle Remediation” from the right pane (if it’s not there, it probably means your
machine wasn’t patched):
The network connection fails with error: Cannot load the Remote Access Connection Manager service. Error
711: