Microsoft Store Rdp

-->

This article provides a solution to an issue in which you are not able to connect to a virtual machine (VM) using RDP with error: CredSSP encryption oracle remediation.

Download this app from Microsoft Store for Windows 10, Windows 8.1, Windows 10 Mobile, Windows Phone 8.1, Windows 10 Team (Surface Hub), HoloLens. See screenshots, read the latest customer reviews, and compare ratings for Microsoft Remote Desktop. Excellent RDP Client, But Not Perfect This RDP client is excellent. Very smooth and intuitive! Performance and graphics is pretty great. I give it 4-stars because there are two issues that kind of bother me. Issue #1: Once connected to the session, you can’t hide the tool bar at the top. Each user or device accessing a licensed Windows Server requires a Windows Server CAL or a Windows Server and a Remote Desktop Services (RDS) CAL. With the User CAL, you purchase a CAL for every user who accesses the server to use services such as file storage or printing, regardless of the number of devices they use for that access.

Original product version: Virtual Machine running Windows
Original KB number: 4295591

Symptoms

Consider the following scenario:

The Credential Security Support Provider protocol (CredSSP) updates for CVE-2018-0886 are applied to a Windows VM (remote server) in Microsoft Azure or on a local client.
You try to make a remote desktop (RDP) connection to the server from the local client.

In this scenario, you receive the following error message:

An authentication error has occurred. The function requested is not supported. Remote computer: <computer name or IP>. This could be due to CredSSP encryption oracle remediation. For more information, see https://go.microsoft.com/fwlink/?linkid=866660.

How to verify that the CredSSP update is installed

Check the update history for the following updates, or check the version of TSpkg.dll.

Operating system	TSpkg.dll version with CredSSP update	CredSSP update
Windows 7 Service Pack 1 / Windows Server 2008 R2 Service Pack 1	6.1.7601.24117	KB4103718 (Monthly Rollup)
KB4103712 (Security-only update)
Windows Server 2012	6.2.9200.22432	KB4103730 (Monthly Rollup)
KB4103726 (Security-only update)
Windows 8.1 / Windows Server 2012 R2	6.3.9600.18999	KB4103725 (Monthly Rollup)
KB4103715 (Security-only update)
RS1 - Windows 10 Version 1607 / Windows Server 2016	10.0.14393.2248	KB4103723
RS2 - Windows 10 Version 1703	10.0.15063.1088	KB4103731
RS3 - Windows 10 1709	10.0.16299.431	KB4103727

Cause

This error occurs if you are trying to establish an insecure RDP connection, and the insecure RDP connection is blocked by an Encryption Oracle Remediation policy setting on the server or client. This setting defines how to build an RDP session by using CredSSP, and whether an insecure RDP is allowed.

See the following interoperability matrix for scenarios that are either vulnerable to this exploit or cause operational failures.

-	-	Server	-	-	-
-	-	Updated	Force updated clients	Mitigated	Vulnerable
Client	Updated	Allowed	Blocked²	Allowed	Allowed
Force updated clients	Blocked	Allowed	Allowed	Allowed
Mitigated	Blocked ¹	Allowed	Allowed	Allowed
Vulnerable	Allowed	Allowed	Allowed	Allowed

Examples

Microsoft Store Apps

¹ The client has the CredSSP update installed, and Encryption Oracle Remediation is set to Mitigated. This client will not RDP to a server that does not have the CredSSP update installed.

² The server has the CredSSP update installed, and Encryption Oracle Remediation is set to Force updated clients. The server will block any RDP connection from clients that do not have the CredSSP update installed.

Apple Store Microsoft Rdp

Resolution

To resolve the issue, install CredSSP updates for both client and server so that RDP can be established in a secure manner. For more information, see CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability.

How to install this update by using Azure Serial console

Sign in to the Azure portal, select Virtual Machine, and then select the VM.
Scroll down to the Support + Troubleshooting section, and then click Serial console (Preview). The serial console requires Special Administrative Console (SAC) to be enabled within the Windows VM. If you do not see SAC> in the console (as shown in the following screenshot), go to the 'How to install this update by using Remote PowerShell' section in this article.
Type cmd to start a channel that has a CMD instance.
Type ch-si 1 to switch to the channel that is running the CMD instance. You receive the following output:
Press Enter, and then enter your login credentials that have administrative permission.
After you enter valid credentials, the CMD instance opens, and you will see the command at which you can start troubleshooting. 05.adobe after effectsmr. macs virtual existence.
To start a PowerShell instance, type PowerShell.
In the PowerShell instance, run the Serial console script based on the VM operating system. This script performs the following steps:
- Create a folder in which to save the download file.
- Download the update.
- Install the update.
- Add the vulnerability key to allow non-updated clients to connect to the VM.
- Restart the VM

How to install this update by using Remote PowerShell

On any Windows-based computer that has PowerShell installed, add the IP address of the VM to the 'trusted' list in the host file, as follows:
In the Azure portal, configure Network Security Groups on the VM to allow traffic to port 5986.
In the Azure portal, select Virtual Machine > < your VM >, scroll down to the OPERATIONS section, click the Run command, and then run EnableRemotePS.
On the Windows-based computer, run the Remote PowerShell script for the appropriate system version of your VM. This script performs the following steps:
- Connect to Remote PowerShell on the VM.
- Create a folder to which to save the download file.
- Download the Credssp update.
- Install the update.
- Set the vulnerability registry key to allow non-updated clients to connect to the VM.
- Enable Serial Console for future and easier mitigation.
- Restart the VM.

Workaround

Warning

After you change the following setting, an unsecure connection is allowed that will expose the remote server to attacks. Nba live 18. Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.

Scenario 1: Updated clients cannot communicate with non-updated servers

The most common scenario is that the client has the CredSSP update installed, and the Encryption Oracle Remediation policy setting doesn't allow an insecure RDP connection to a server that does not have the CredSSP update installed.

To work around this issue, follow these steps:

Play Store Microsoft Rdp

On the client that has the CredSSP update installed, run gpedit.msc, and then browse to Computer Configuration > Administrative Templates > System > Credentials Delegation in the navigation pane.
Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.
If you cannot use gpedit.msc, you can make the same change by using the registry, as follows:
1. Open a Command Prompt window as Administrator.
2. Run the following command to add a registry value:

Scenario 2: Non-updated clients cannot communicate with patched servers

If the Azure Windows VM has this update installed, and it is restricted to receiving non-updated clients, follow these steps to change the Encryption Oracle Remediation policy setting:

On any Windows computer that has PowerShell installed, add the IP of the VM to the 'trusted' list in the host file:
Go to the Azure portal, locate the VM, and then update the Network Security group Pomfort silverstack for mac. to allow PowerShell ports 5985 and 5986.
On the Windows computer, connect to the VM by using PowerShell:
For HTTP:
For HTTPS:
Run the following command to change the Encryption Oracle Remediation policy setting by using the registry:

Azure Serial Console scripts

OS Version	Script
Windows 7 Service Pack 1 / Windows Server 2008 R2 Service Pack 1	#Create a download location `md c:temp` ##Download the KB file `$source = 'http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows6.1-kb4103718-x64_c051268978faef39e21863a95ea2452ecbc0936d.msu'` `$destination = 'c:tempwindows6.1-kb4103718-x64_c051268978faef39e21863a95ea2452ecbc0936d.msu'` `$wc = New-Object System.Net.WebClient` `$wc.DownloadFile($source,$destination)` #Install the KB `expand -F:* $destination C:temp` `dism /ONLINE /add-package /packagepath:'c:tempWindows6.1-KB4103718-x64.cab'` #Add the vulnerability key to allow unpatched clients `REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2` #Restart the VM to complete the installations/settings `shutdown /r /t 0 /f`
Windows Server 2012	#Create a download location `md c:temp` ##Download the KB file `$source = 'http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/04/windows8-rt-kb4103730-x64_1f4ed396b8c411df9df1e6755da273525632e210.msu'` `$destination = 'c:tempwindows8-rt-kb4103730-x64_1f4ed396b8c411df9df1e6755da273525632e210.msu'` `$wc = New-Object System.Net.WebClient` `$wc.DownloadFile($source,$destination)` #Install the KB `expand -F:* $destination C:temp` `dism /ONLINE /add-package /packagepath:'c:tempWindows8-RT-KB4103730-x64.cab'` #Add the vulnerability key to allow unpatched clients `REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2` #Restart the VM to complete the installations/settings `shutdown /r /t 0 /f`
Windows 8.1 / Windows Server 2012 R2	#Create a download location `md c:temp` ##Download the KB file `$source = 'http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows8.1-kb4103725-x64_cdf9b5a3be2fd4fc69bc23a617402e69004737d9.msu'` `$destination = 'c:tempwindows8.1-kb4103725-x64_cdf9b5a3be2fd4fc69bc23a617402e69004737d9.msu'` `$wc = New-Object System.Net.WebClient` `$wc.DownloadFile($source,$destination)` #Install the KB `expand -F:* $destination C:temp` `dism /ONLINE /add-package /packagepath:'c:tempWindows8.1-KB4103725-x64.cab'` #Add the vulnerability key to allow unpatched clients `REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2` #Restart the VM to complete the installations/settings `shutdown /r /t 0 /f`
RS1 - Windows 10 version 1607 / Windows Server 2016	#Create a download location `md c:temp` ##Download the KB file `$source = 'http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows10.0-kb4103723-x64_2adf2ea2d09b3052d241c40ba55e89741121e07e.msu'` `$destination = 'c:tempwindows10.0-kb4103723-x64_2adf2ea2d09b3052d241c40ba55e89741121e07e.msu'` `$wc = New-Object System.Net.WebClient` `$wc.DownloadFile($source,$destination)` #Install the KB `expand -F:* $destination C:temp` `dism /ONLINE /add-package /packagepath:'c:tempWindows10.0-KB4103723-x64.cab'` #Add the vulnerability key to allow unpatched clients `REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2` #Restart the VM to complete the installations/settings `shutdown /r /t 0 /f`
RS2 - Windows 10 version 1703	#Create a download location `md c:temp` ##Download the KB file `$source = 'http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103731-x64_209b6a1aa4080f1da0773d8515ff63b8eca55159.msu'` `$destination = 'c:tempwindows10.0-kb4103731-x64_209b6a1aa4080f1da0773d8515ff63b8eca55159.msu'` `$wc = New-Object System.Net.WebClient` `$wc.DownloadFile($source,$destination)` #Install the KB `expand -F:* $destination C:temp` `dism /ONLINE /add-package /packagepath:'c:tempWindows10.0-KB4103731-x64.cab'` #Add the vulnerability key to allow unpatched clients `REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2` #Restart the VM to complete the installations/settings `shutdown /r /t 0 /f`
RS3 - Windows 10 version 1709 / Windows Server 2016 version 1709	#Create a download location `md c:temp` ##Download the KB file `$source = 'http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103727-x64_c217e7d5e2efdf9ff8446871e509e96fdbb8cb99.msu'` `$destination = 'c:tempwindows10.0-kb4103727-x64_c217e7d5e2efdf9ff8446871e509e96fdbb8cb99.msu'` `$wc = New-Object System.Net.WebClient` `$wc.DownloadFile($source,$destination)` #Install the KB `expand -F:* $destination C:temp` `dism /ONLINE /add-package /packagepath:'c:tempWindows10.0-KB4103727-x64.cab'` #Add the vulnerability key to allow unpatched clients `REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2` #Restart the VM to complete the installations/settings `shutdown /r /t 0 /f`
RS4 - Windows 10 1803 / Windows Server 2016 version 1803	#Create a download location `md c:temp` ##Download the KB file `$source = 'http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103721-x64_fcc746cd817e212ad32a5606b3db5a3333e030f8.msu'` `$destination = 'c:tempwindows10.0-kb4103721-x64_fcc746cd817e212ad32a5606b3db5a3333e030f8.msu'` `$wc = New-Object System.Net.WebClient` `$wc.DownloadFile($source,$destination)` #Install the KB `expand -F:* $destination C:temp` `dism /ONLINE /add-package /packagepath:'c:tempWindows10.0-KB4103721-x64.cab'` #Add the vulnerability key to allow unpatched clients `REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2` #Restart the VM to complete the installations/settings `shutdown /r /t 0 /f`

Remote PowerShell scripts

Microsoft Store Download Windows 10

OS Version	Script
Windows 7 Service Pack 1 / Windows Server 2008 R2 Service Pack 1	#Set up your variables: `$subscriptionID = '<your subscription ID>'` `$vmname = '<IP of your machine or FQDN>'` `$PSPort = '5986'` #change this variable if you customize HTTPS on PowerShell to another port #Log in to your subscription `Add-AzureRmAccount` `Select-AzureRmSubscription -SubscriptionID $subscriptionID` `Set-AzureRmContext -SubscriptionID $subscriptionID` #Connect to Remote PowerShell `$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck` `Enter-PSSession -ComputerName $vmname -port $PSPort -Credential (Get-Credential) -useSSL -SessionOption $Skip` #Create a download location `md c:temp` ##Download the KB file `$source = 'http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows6.1-kb4103718-x64_c051268978faef39e21863a95ea2452ecbc0936d.msu'` `$destination = 'c:tempwindows6.1-kb4103718-x64_c051268978faef39e21863a95ea2452ecbc0936d.msu'` `$wc = New-Object System.Net.WebClient` `$wc.DownloadFile($source,$destination)` #Install the KB `expand -F:* $destination C:temp` `dism /ONLINE /add-package /packagepath:'c:tempWindows6.1-KB4103718-x64.cab'` #Add the vulnerability key to allow unpatched clients `REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2` #Set up Azure Serial Console flags `cmd` `bcdedit /set {bootmgr} displaybootmenu yes` `bcdedit /set {bootmgr} timeout 5` `bcdedit /set {bootmgr} bootems yes` `bcdedit /ems {current} on` `bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200` #Restart the VM to complete the installations/settings `shutdown /r /t 0 /f`
Windows Server 2012	#Set up your variables: `$subscriptionID = '<your subscription ID>'` `$vmname = '<IP of your machine or FQDN>'` `$PSPort = '5986'` #change this variable if you customize HTTPS on PowerShell to another port #Log in to your subscription `Add-AzureRmAccount` `Select-AzureRmSubscription -SubscriptionID $subscriptionID` `Set-AzureRmContext -SubscriptionID $subscriptionID` #Connect to Remote PowerShell `$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck` `Enter-PSSession -ComputerName $vmname -port $PSPort -Credential (Get-Credential) -useSSL -SessionOption $Skip` #Create a download location `md c:temp` ##Download the KB file `$source = 'http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/04/windows8-rt-kb4103730-x64_1f4ed396b8c411df9df1e6755da273525632e210.msu'` `$destination = 'c:tempwindows8-rt-kb4103730-x64_1f4ed396b8c411df9df1e6755da273525632e210.msu'` `$wc = New-Object System.Net.WebClient` `$wc.DownloadFile($source,$destination)` #Install the KB `expand -F:* $destination C:temp` `dism /ONLINE /add-package /packagepath:'c:tempWindows8-RT-KB4103730-x64.cab'` #Add the vulnerability key to allow unpatched clients `REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2` #Set up Azure Serial Console flags `cmd` `bcdedit /set {bootmgr} displaybootmenu yes` `bcdedit /set {bootmgr} timeout 5` `bcdedit /set {bootmgr} bootems yes` `bcdedit /ems {current} on` `bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200` #Restart the VM to complete the installations/settings `shutdown /r /t 0 /f`
Windows 8.1 / Windows Server 2012 R2	#Set up your variables: `$subscriptionID = '<your subscription ID>'` `$vmname = '<IP of your machine or FQDN>'` `$PSPort = '5986'` #change this variable if you customize HTTPS on PowerShell to another port #Log in to your subscription `Add-AzureRmAccount` `Select-AzureRmSubscription -SubscriptionID $subscriptionID` `Set-AzureRmContext -SubscriptionID $subscriptionID` #Connect to Remote PowerShell `$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck` `Enter-PSSession -ComputerName $vmname -port $PSPort -Credential (Get-Credential) -useSSL -SessionOption $Skip` #Create a download location `md c:temp` ##Download the KB file `$source = 'http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows8.1-kb4103725-x64_cdf9b5a3be2fd4fc69bc23a617402e69004737d9.msu'` `$destination = 'c:tempwindows8.1-kb4103725-x64_cdf9b5a3be2fd4fc69bc23a617402e69004737d9.msu'` `$wc = New-Object System.Net.WebClient` `$wc.DownloadFile($source,$destination)` #Install the KB `expand -F:* $destination C:temp` `dism /ONLINE /add-package /packagepath:'c:tempWindows8.1-KB4103725-x64.cab'` #Add the vulnerability key to allow unpatched clients `REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2` #Set up Azure Serial Console flags `cmd` `bcdedit /set {bootmgr} displaybootmenu yes` `bcdedit /set {bootmgr} timeout 5` `bcdedit /set {bootmgr} bootems yes` `bcdedit /ems {current} on` `bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200` #Restart the VM to complete the installations/settings `shutdown /r /t 0 /f`
RS1 - Windows 10 version 1607 / Windows Server 2016	#Set up your variables: `$subscriptionID = '<your subscription ID>'` `$vmname = '<IP of your machine or FQDN>'` `$PSPort = '5986'` #change this variable if you customize HTTPS on PowerShell to another port #Log in to your subscription `Add-AzureRmAccount` `Select-AzureRmSubscription -SubscriptionID $subscriptionID` `Set-AzureRmContext -SubscriptionID $subscriptionID` #Connect to Remote PowerShell `$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck` `Enter-PSSession -ComputerName $vmname -port $PSPort -Credential (Get-Credential) -useSSL -SessionOption $Skip` #Create a download location `md c:temp` ##Download the KB file `$source = 'http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows10.0-kb4103723-x64_2adf2ea2d09b3052d241c40ba55e89741121e07e.msu'` `$destination = 'c:tempwindows10.0-kb4103723-x64_2adf2ea2d09b3052d241c40ba55e89741121e07e.msu'` `$wc = New-Object System.Net.WebClient` `$wc.DownloadFile($source,$destination)` #Install the KB `expand -F:* $destination C:temp` `dism /ONLINE /add-package /packagepath:'c:tempWindows10.0-KB4103723-x64.cab'` #Add the vulnerability key to allow unpatched clients `REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2` #Set up Azure Serial Console flags `cmd` `bcdedit /set {bootmgr} displaybootmenu yes` `bcdedit /set {bootmgr} timeout 5` `bcdedit /set {bootmgr} bootems yes` `bcdedit /ems {current} on` `bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200` #Restart the VM to complete the installations/settings `shutdown /r /t 0 /f`
RS2 - Windows 10 version 1703	#Set up your variables: `$subscriptionID = '<your subscription ID>'` `$vmname = '<IP of your machine or FQDN>'` `$PSPort = '5986'` #change this variable if you customize HTTPS on PowerShell to another port #Log in to your subscription `Add-AzureRmAccount` `Select-AzureRmSubscription -SubscriptionID $subscriptionID` `Set-AzureRmContext -SubscriptionID $subscriptionID` #Connect to Remote PowerShell `$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck` `Enter-PSSession -ComputerName $vmname -port $PSPort -Credential (Get-Credential) -useSSL -SessionOption $Skip` #Create a download location `md c:temp` ##Download the KB file `$source = 'http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103731-x64_209b6a1aa4080f1da0773d8515ff63b8eca55159.msu'` `$destination = 'c:tempwindows10.0-kb4103731-x64_209b6a1aa4080f1da0773d8515ff63b8eca55159.msu'` `$wc = New-Object System.Net.WebClient` `$wc.DownloadFile($source,$destination)` #Install the KB `expand -F:* $destination C:temp` `dism /ONLINE /add-package /packagepath:'c:tempWindows10.0-KB4103731-x64.cab'` #Add the vulnerability key to allow unpatched clients `REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2` #Set up Azure Serial Console flags `cmd` `bcdedit /set {bootmgr} displaybootmenu yes` `bcdedit /set {bootmgr} timeout 5` `bcdedit /set {bootmgr} bootems yes` `bcdedit /ems {current} on` `bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200` #Restart the VM to complete the installations/settings `shutdown /r /t 0 /f`
RS3 - Windows 10 version 1709 / Windows Server 2016 version 1709	#Set up your variables: `$subscriptionID = '<your subscription ID>'` `$vmname = '<IP of your machine or FQDN>'` `$PSPort = '5986'` #change this variable if you customize HTTPS on PowerShell to another port #Log in to your subscription `Add-AzureRmAccount` `Select-AzureRmSubscription -SubscriptionID $subscriptionID` `Set-AzureRmContext -SubscriptionID $subscriptionID` #Connect to Remote PowerShell `$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck` `Enter-PSSession -ComputerName $vmname -port $PSPort -Credential (Get-Credential) -useSSL -SessionOption $Skip` #Create a download location `md c:temp` ##Download the KB file `$source = 'http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103727-x64_c217e7d5e2efdf9ff8446871e509e96fdbb8cb99.msu'` `$destination = 'c:tempwindows10.0-kb4103727-x64_c217e7d5e2efdf9ff8446871e509e96fdbb8cb99.msu'` `$wc = New-Object System.Net.WebClient` `$wc.DownloadFile($source,$destination)` #Install the KB `expand -F:* $destination C:temp` `dism /ONLINE /add-package /packagepath:'c:tempWindows10.0-KB4103727-x64.cab'` #Add the vulnerability key to allow unpatched clients `REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2` #Set up Azure Serial Console flags `cmd` `bcdedit /set {bootmgr} displaybootmenu yes` `bcdedit /set {bootmgr} timeout 5` `bcdedit /set {bootmgr} bootems yes` `bcdedit /ems {current} on` `bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200` #Restart the VM to complete the installations/settings `shutdown /r /t 0 /f`
RS4 - Windows 10 1803 / Windows Server 2016 version 1803	#Set up your variables: `$subscriptionID = '<your subscription ID>'` `$vmname = '<IP of your machine or FQDN>'` `$PSPort = '5986'` #change this variable if you customize HTTPS on PowerShell to another port #Log in to your subscription `Add-AzureRmAccount` `Select-AzureRmSubscription -SubscriptionID $subscriptionID` `Set-AzureRmContext -SubscriptionID $subscriptionID` #Connect to Remote PowerShell `$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck` `Enter-PSSession -ComputerName $vmname -port $PSPort -Credential (Get-Credential) -useSSL -SessionOption $Skip` #Create a download location `md c:temp` ##Download the KB file `$source = 'http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103721-x64_fcc746cd817e212ad32a5606b3db5a3333e030f8.msu'` `$destination = 'c:tempwindows10.0-kb4103721-x64_fcc746cd817e212ad32a5606b3db5a3333e030f8.msu'` `$wc = New-Object System.Net.WebClient` `$wc.DownloadFile($source,$destination)` #Install the KB `expand -F:* $destination C:temp` `dism /ONLINE /add-package /packagepath:'c:tempWindows10.0-KB4103721-x64.cab'` #Add the vulnerability key to allow unpatched clients `REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2` #Set up Azure Serial Console flags `cmd` `bcdedit /set {bootmgr} displaybootmenu yes` `bcdedit /set {bootmgr} timeout 5` `bcdedit /set {bootmgr} bootems yes` `bcdedit /ems {current} on` `bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200` #Restart the VM to complete the installations/settings `shutdown /r /t 0 /f`

Summary

This article describes the Remote Desktop Protocol (RDP) used for communication between the Terminal Server and the Terminal Server Client. RDP is encapsulated and encrypted within TCP.

More Information

Understanding the Remote Desktop Protocol (RDP)

Remote Desktop Protocol is based on, and is an extension of, the T-120 family of protocol standards. A multichannel capable protocol allows for separate virtual channels for carrying presentation data, serial device communication, licensing information, highly encrypted data (keyboard, mouse activity), and so on. As RDP is an extension of the core T.Share protocol, several other capabilities are retained as part of the RDP, such as the architectural features necessary to support multipoint (multiparty sessions). Multipoint data delivery allows data from an application to be delivered in 'real-time' to multiple parties without having to send the same data to each session individually (for example, Virtual Whiteboards).
In this first release of Windows Terminal Server, however, we are concentrating on providing reliable and fast point-to-point (single- session) communications. Only one data channel will be used in the initial release of Terminal Server 4.0 However, the flexibility of RDP gives plenty of room for functionality in future products.
One reason that Microsoft decided to implement RDP for connectivity purposes within Windows NT Terminal Server is that it provides a very extensible base from which to build many more capabilities. This is because RDP provides 64,000 separate channels for data transmission. However, current transmission activities are only using a single channel (for keyboard, mouse, and presentation data).
Also, RDP is designed to support many different types of Network topologies (such as ISDN, POTS, and many LAN protocols such as IPX, NetBIOS, TCP/IP, and so on). The current version of RDP will only run over TCP/IP but, with customer feedback, other protocol support may be added in future versions.
The activity involved in sending and receiving data through the RDP stack is essentially the same as the seven-layer OSI model standards for common LAN networking today. Data from an application or service to be transmitted is passed down through the protocol stacks, sectioned, directed to a channel (through MCS), encrypted, wrapped, framed, packaged onto the network protocol, and finally addressed and sent over the wire to the client. The returned data works the same way only in reverse, with the packet being stripped of its address, then unwrapped, decrypted, and so on until the data is presented to the application for use. Key portions of the protocol stack modifications occur between the fourth and seventh layers, where the data is encrypted, wrapped and framed, directed to a channel and prioritized.
One of the key points for application developers is that, in using RDP, Microsoft has abstracted away the complexities of dealing with the protocol stack. This allows them to simply write clean, well-designed, well-behaved 32-bit applications, and then the RDP stack implemented by the Terminal Server and its client connections takes care of the rest.
For more information on how applications interact on the Terminal Server and what to be aware of when developing applications for a Windows Terminal Server infrastructure, look at the 'Optimizing Applications for Windows NT Server 4.0, Terminal Server Edition' white paper. Four components worth discussing within the RDP stack instance are the Multipoint Communication Service (MCSMUX), the Generic Conference Control (GCC), Wdtshare.sys, and Tdtcp.sys. MCSmux and GCC are part of the International Telecommunication Union (ITU) T.120 family. The MCS is made up of two standards: T.122, which defines the multipoint services, and T.125, which specifies the data transmission protocol. MCSMux controls channel assignment (by multiplexing data onto predefined virtual channels within the protocol), priority levels, and segmentation of data being sent. It essentially abstracts the multiple RDP stacks into a single entity, from the perspective of the GCC. GCC is responsible for management of those multiple channels. The GCC allows the creation and deletion of session connections and controls resources provided by MCS. Each Terminal Server protocol (currently, only RDP and Citrix's ICA are supported) will have a protocol stack instance loaded (a listener stack awaiting a connection request). The Terminal Server device driver coordinates and manages the RDP protocol activity and is made up of smaller components, an RDP driver (Wdtshare.sys) for UI transfer, compression, encryption, framing, and so on, and a transport driver (Tdtcp.sys) to package the protocol onto the underlying network protocol, TCP/IP.
RDP was developed to be entirely independent of its underlying transport stack, in this case TCP/IP. RDP, being completely independent of its transport stack, means that we can add other transport drivers for other network protocols as customers needs for them grow, with little or no significant changes to the foundational parts of the protocol. These are key elements to the performance and extendibility of RDP on the network.