Starting May 9, we received many reports of Remote Desktop connections failing globally. Users received error messages like this when they tried to remote to machines they connected to successfully for a long time:
An authentication error has occurred. The function requested is not supported Remote computer: <computer name> This could be due to CredSSP encryption oracle remediation. For more information, see https:/go.microsoft.com/fwlink/?linkid=866660
The link goes to this page, https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018, and explains the Credential Security Support Provider protocol (CredSSP). It offers extensive information on a series of updates since March 2018. It recommends some steps but isn’t very clear what those changes are nor whether those changes are needed to be made by network administrators globally via group policies, or group policies on every PC and VM.
The Microsoft Security patch issued on Tuesday, May 8th triggered the problem by setting and requiring remote connections at the highest level:
Apparently, an automatic Windows patch to raise the security level is not implemented if the PC doesn’t allow automatic updates. This mismatch between the implementation of a security requirement (which is not optional) without the corresponding automatic update may be the source of this problem.
However, there are many situations such as development, testing, build, staging, and deployment environments that require a stable environment that would be violated by automatic updates.
We continue to research this.
The symptoms are rather strange because we found that some machines successfully connected while others didn’t.
For instance, we had a Windows 7 machine that hosted Remote Desktop. A Windows 7 PC had no problem connecting to it, but the same user connecting from a Windows 10 machine failed when that was never an issue before and the host machine allowed remote connection for years.
There are also reports of problems with Windows 10 machines connecting to Windows 10 machines, and people locked out of their Azure VMs.
One could rollback the security update, but rather than risking other security problems, there’s a quick fix.
Simply adjust the Remote Desktop settings on the host machine to a lower security level. From File Explorer, choose Computer, right click and select Properties, then click Change Settings, and go to the Remote tab.
From Windows 10, uncheck the option to “Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)”:
From Windows 7, it’s setting the option to the Less Secure option rather than More Secure:
Once these are set, users can remote to the machine again.
Hope this helps.
We’ve discovered problems with VPN connection if the PC has Remote set to the higher security level.
The network connection fails with error: Cannot load the Remote Access Connection Manager service. Error 711:
Apparently, the Remote Desktop setting on the client side impacts its ability to connect via VPN to the host side. By lowering the setting to less secure for others to connect to the PC, the PC can now successfully connect to the VPN. What a mess
Our latest information is in my blog post: