You are browsing the archive for RDP.

Unable to RDP to an Azure VM due to a CredSSP Encryption Oracle Remediation error

7:22 pm in Azure, Cloud, CredSSP, Encryption Oracle Remediation, RDP, Remote Desktop Connection, VM, Windows 10 by Wim Matthyssen

After applying some Windows updates on my Windows 10 Version 1803 home pc I was unable to make a Remote Desktop Connection (RDP) connection to some Microsoft Azure virtual machine(s) (VM).

When I made an RDP connection, I received the following error message:

An authentication error has occurred. The function requested is not supported. Remote computer: <computer name or IP>. This could be due to CredSSP encryption oracle remediation. For more information, see


What is CredSSP and why did it cause the error

The Credential Security Support Provider protocol (CredSSP) is a security protocol utilized to process authentication requests for separate applications like RDP. It allows you to securely forward credentials encrypted from the Windows client to the target servers for remote authentication.

Because of a critical vulnerability that has been discovered in CredSSP, which affects all versions of Windows and could allow remote attackers to exploit RDP and WinRM to steal data and run malicious code, Microsoft has released security update(s).
You can find the list of the corresponding KB number(s) for each operating system here:

In my case my recently updated Windows 10 pc could not communicate with a non-updated server (not allowed to setup an insecure RDP connection).


To solve the error, first of all, I needed to temporarily change the policy settings on my Windows 10 to gain RDP access to the server.

To do so, open Run and execute gpedit.msc to change the settings in the Local Group Policy Editor. Browse to Computer Configuration / Administrative Templates / System. Open Credentials Delegation in the left pane.



Change the Encryption Oracle Remediation policy to Enabled, and Protection Level to Vulnerable.


You can also use the following PowerShell script to do it in an more automated way:

Or you can simply use this command line one-liner which can also be run in PowerShell (run as admin):

After this change, I was able to setup an unsecure RDP connection to the server(s) where I installed the missing security update.


After deploying the specific update on the server(s), I was able to connect to it without the error and with the Encryption Oracle Remediation settings reset to the default.


Of course you can also use PowerShell to set everything back to the default (copy and save as .ps1).

Or like before you can simply use a command line one-liner in PowerShell (run as admin):

This concludes this blog post, hope it helps if you face this error.

Wim Matthyssen (@wmatthyssen)

An RDP connection to the Azure RemoteApp custom VM fails with the following error: “No Remote Desktop License Servers available”

3:35 pm in Azure, Azure PowerShell, Azure RemoteApp, RDP, W2K12R2 by Wim Matthyssen

A while ago I was setting up Azure RemoteApp at a client. After creating the custom image, I was unable to connect to the newly created Azure IaaS virtual machine (VM) with RDP. The below Remote Desktop Connection error popped up:


The error is caused because the 120-day licensing grace period for the Remote Desktop Server role has expired and you need to install licenses. Which in my opinion is really strange because it’s a new VM created from the Windows Server RDSHwO365P image available at the Azure Marketplace. This being said below you can found out how I finally was able to connect to the VM with RDP.

1) First of all, save a local copy of the RDP file from the Azure portal. I saved it under the C:\Temp folder on my laptop




2) Open Windows PowerShell ISE as an Administrator and run the following PowerShell command prompt to connect. This command will disable licensing for just that connection (change AZUTST by your own RDP file name):


Be aware that only 2 connections are possible at the same time when using /admin.

3) Like you can see below, by using /admin I was able to connect to the VM





This concludes this blog post, hope it helps!

Wim Matthyssen (@wmatthyssen)

Replica DCs on Azure – Removing the Azure Endpoints

10:04 am in Azure, Azure Endpoints, Cloud, DC, hybrid cloud, IaaS, PowerShell, RDP, Replica DC, W2K12R2 by Wim Matthyssen

This blog post is part of the step-by-step to deploy replica DCs on Microsoft Azure which can be found here:

All VMs that you create in Azure can automatically communicate using a private network channel with other VMs in the same cloud service or VNet. However, other resources on the Internet or resources from other VNets require endpoints to handle the inbound network traffic to those VMs. That’s why when you create a new Azure  IaaS v1 VM (Azure Service Manager deployment model), Azure automatically creates two endpoints: Remote Desktop and Windows PowerShell Remoting. Both endpoints consist of a protocol (TCP or UDP) and have a public (for example 54036) and a private (for example 3389) port. The public port is used by the Azure load balancer to listen for incoming traffic to the IaaS VM from the Internet. The private port on the other hand is used by the IaaS VM itself to listen for incoming traffic to an application or service running on the VM.

After the creation of this new VM it’s possible to create additional endpoints if needed. The VM deployment wizard provides pre-defined endpoint configurations not only for Remote Desktop and PowerShell, but also for SSH, FTP, SMTP, DNS, HTTP, POP3, IMAP, LDAP, HTTPS, SMTPS, IMAPS, POP3S, MSSQL and MySQL. If the needed service isn’t in this list,  you can also  also create your own service endpoint and define the protocols and ports needed.

You can manage and isolate the incoming traffic to the public ports of these endpoints by configuring access control list (ACL) rules. By using ACLs, you can for example, only permit access to a specific service from a set of trusted hosts or networks.

However, for security best practices, it’s always advisable when an IaaS VM is configured and a Site-to-site VPN (S2S) exists, to remove all endpoints you don’t need (like RDP) and only to use them when their really needed (for example to access a IIS hosted website from the Internet on port 443). When the S2S is in place, you can connect to the VM through the use of the standard local RDP port (3389) via the secure IPsec VPN tunnel instead of connecting over the public Internet.

In this blog post I will show you how you can delete the RDP and PowerShell endpoint manually by making use of the Azure Classic Portal (AZGR-DC-01) and how to do it with the use of Azure PowerShell (AZGR-DC-02). So, let’s get started.

Manually remove the Azure Endpoints through the Azure Classic Portal

1) Logon to the Azure Classic Portal as a Service administrator or Co-administrator

2) In the navigation pane, click VIRTUAL MACHINES and then click the name of the VM where the endpoint needs to be deleted (AZGR-DC-01)




4) Select the Remote Desktop endpoint and click DELETE


5) Select YES when asked Are You sure that you want to delete endpoint Remote Desktop? This will start the deletion process




6) When the Remote Desktop endpoint is successfully deleted, you can test or you’re still able to RDP to the VM over the Internet. First of all, like you can see the CONNECT button is disabled


7) If we try to connect through the previously downloaded RDP file, no connection is possible





8) However, when we logon to GR-DC-01 and open mstsc via Run, we are still able to RDP to AZGR-DC-01 like it should, because we connect over the internal network




9) You can also repeat the above steps, to delete the Remote PowerShell endpoint


Remove the Azure Endpoints through the use of Azure PowerShell

1) Open Windows PowerShell ISE, logon with your Azure account and select the correct Azure Subscription

2) Run following Azure PowerShell cmdlet:


3) Run following cmdlet to check the existing endpoints for the VM


4) Like you can see only the Remote PowerShell endpoint still exists, which we also can verify in the Azure Classic Portal


5) To delete the PowerShell endpoint run following cmdlet:


6) After running this cmdlet no endpoint longer exist for the AZGR-DC-02 VM



That ends the final part of this series. If had a lot of fun while writing these series and I really hope, it’s useful for some people. If someone has any questions about the series or a specific part of it, you can always contact me through my Twitter handle.

Till next time!

Wim Matthyssen (@wmatthyssen)

How to use mRemoteNG to connect to multiple Client Hyper-V VMs with RDP in a tabbed view

7:56 pm in Client Hyper-V, RDP, Windows 10 by Wim Matthyssen

From Windows 10, Client Hyper-V supports nested virtualization (basically it means that it allows you to run Hyper-V in a Hyper-V virtual machine), something many people were awaiting for a longtime. It also brings other nice new features to the built-in hypervisor like:

  • Windows PowerShell Direct
  • Hot add and remove network adapters and memory
  • Linux secure boot
  • Integration Services delivered through Windows Update
  • A new virtual machine configuration file format .VMCX

I’ve you’re interested in reading more, you can do so via following link:

Because of all those nice improvements I decided to create my new demo and testing environment with it on my notebook. When Client Hyper-V (optional feature) was installed and the VMs for the complete infrastructure were built, I had the ability to connect to those VMs via two mechanisms: the VM console (VMConnect) and Remote Desktop (RDP).

The VM Console provides a single monitor view of the VM with resolution up to 1600 x 1200 in 32-bit color. This console also provides you with the ability to view the VM’s booting process. You can use it by opening the Hyper-V Manager, right clicking a VM, and select Connect…


If you want a richer experience, you can connect to a VM using an RDP connection. Then the VM will take advantage of the capabilities available on your notebook (multi monitor use, full media capability, shared clipboard, USB redirection and much more). You can use it by opening Run and typing mstsc (like everyone probably knows).


Because you’re mostly working with more than one server in a lab environment, it’s not so easy and practical to use the VM Console. Simply because there is no tool available to manage multiple VM Console connections in a tabbed view, which allows you to switch easily between all those running VMs.

When you use RDP instead to connect to those VMs several of such tools (free or paid) are available:

Before we start, first some practical information and tips:

  • I will be using mRemoteNG to use multiple RDP connections in a tabbed view
  • The IP range used is
  • Two VMs will be used in this example: GR-DC-01 and GR-DC-02
  • In all steps PowerShell is used with administrator rights
  • When you use a generation 2 VM, set the Firmware setting to Boot from Hard Drive
  • To use an RDP connection from your notebook to a VM running in Client Hyper-V an internal virtual switch needs to be connected to the VM

1) First of all an internal virtual switch needs to be created on the host. So open PowerShell and run the following command:

New-VMSwitch -Name InternalRDP -SwitchType Internal -Notes 'RDP connection'


2) You can check if the virtual switch is created correctly by opening up your Hyper-V Manager and click on Virtual Switch Manager


3) Still on the host, assign the static IP address to the network adapter that was created for the virtual switch “InternalRDP”. Open up PowerShell and run following commands:

#Retrieve the wright network adapter

$netadapter = Get-NetAdapter -Name “vEthernet (InternalRDP)”

#Disable DHCP

$netadapter | Set-NetIPInterface -DHCP Disabled

#Configure the IP address

$netadapter | New-NetIPAddress -AddressFamily IPv4 -IPAddress -PrefixLength 24 -Type Unicast



4) Connect both VMs to virtual Network Adapter to the InternalRDP virtual switch by use of PowerShell

#Add Networks

Get-VMNetworkAdapter GR-DC-01| Connect-VMNetworkAdapter –SwitchName InternalRDP

Get-VMNetworkAdapter GR-DC-02| Connect-VMNetworkAdapter –SwitchName InternalRDP



5) Logon to both VMs with the VM Console and rename the network adapters with PowerShell

Get-NetAdapter -Name Ethernet | Rename-NetAdapter -NewName Internal –PassThru



6) On VM GR-DC-01 assign the fixed IP address with subnet mask for the “Internal” network adapter


7) On VM GR-DC-02 assign the fixed IP address with subnet mask for the “Internal” network adapter

8) Enable RDP on both VMs


9) If the Windows Firewall is enabled, don’t forget to adjust the necessary Inbound Rules to allow RDP


10) Open mRemoteNG, right click Connections and select “New Connection”. Create two new connections named “GR-DC-01” and “GR-DC-02”. When created fill in all necessary info like shown in the screenshot below (I log in with the local administrator, that’s why I filled in .\ for the domain).


11) Click both connections and you will see that you can use both VMs in a tabbed view by using RDP



That’s all, hope it helps!

Wim Matthyssen (@wmatthyssen)