CredSSP Encryption Oracle Remediation error when using RDP

When working with Cisco UCCE and its components, you often need to remotely connect to one or another system component via Remote Desktop Protocol (RDP). Sometimes the RDP session is not established, and the CredSSP Encryption Oracle Remediation error is issued. Let’s see how it can be fixed.

The causes of this problem, as well as options for solving it, are described in detail in various sources. When writing this post, I used one of them, the link to the source is below (the screenshots are also taken from it):

https://blogs.technet.microsoft.com/mckittrick/unable-to-rdp-to-virtual-machine-credssp-encryption-oracle-remediation/

In short, Microsoft discovered a vulnerability in the CredSSP protocol in early 2018. The essence of the problem is that it was possible, bypassing the check, to execute various commands on the server itself on behalf of the used accounts, including installing and removing arbitrary software, changing and deleting data on the server, and creating accounts with arbitrary rights. To solve this problem, the vendor has released a number of patches. However, error-free operation requires the installation of these patches both on the client side and on the server side. If the patch is only installed on the client and not installed on the server, RDP will not run, signaling a problem with CredSSP:

Of course, the correct way out of the situation is to install the required Microsoft patches on both sides. But in order to gain temporary access to a non-updated server, you can use two methods:
Method 1. Temporarily change the policy settings through the Local Group Policy Editor on the computer on which you are using the RDP client (i.e. on the client machine). Run gpedit.msc, then follow the path Computer Configuration / Administrative Templates / System / Credentials Delegation in the window on the left:

Change Encryption Oracle Remediation to Enabled and Protection Level to Vulnerable:

Method 2: The Local Group Policy Editor is not available on Windows Home Edition. In this case, changes can be made through the Windows registry (this command is executed through Windows Power Shell):
REG ADD HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters /v AllowEncryptionOracle /t REG_DWORD /d 2
After making such changes, you will get remote access to your server, on which you will need to install the required patch to eliminate the CredSSP protocol vulnerability. After the patch is installed on the server, the changes made on the client computer must be canceled and the policy settings returned to their original state.