We're trying to implement the new GP settings to mitigate the CredSSP vulnerability (CVE-2018-0886) in Windows RDP.
I have two servers set up - one patched and one is in a test farm and has not been patched since January. I have manipulated GP to set the policy to all three settings - "Vulnerable", "Mitigated", and "Force Updated Clients". When connecting from an older thin client or from the unpatched server to the patched server, the RDP connection behaves as expected. That is it connects unless the GP is set to Force Updated Clients".
But when I try to connect from the patched server to the unpatched server using RDP it always works. The documentation looks to me like a client set to either "Mitigated" or "Force Updated Clients" should not connect. I have the same behavior on a Windows 10 Pro Workstation. The GP for it is set to "Force Updated Clients", but I can still connect to any server whether it's updated or not.
Has anyone else tried this. Any explanation or ideas?