-->
This article provides a solution to an issue in which you are not able to connect to a virtual machine (VM) using RDP with error: CredSSP encryption oracle remediation.
Original product version: Virtual Machine running Windows
Original KB number: 4295591
Original KB number: 4295591
- Messagesdecrypterror= ' A handshake cryptographic operation failed, including being unable: to correctly verify a signature or validate a Finished message. This message is always fatal. ' messagesexportrestriction= ' This alert was used in some earlier versions of TLS. It MUST NOT: be sent by compliant implementations.
- When Mac users update their operating system, Wi-Fi connectivity can vanish. At the time of the original version of El Capitan, a lot of users found they couldn't connect to Wi-Fi, which made it harder for Apple to release an update that included a patch solving this particular problem.
Ensure that openssl versions (used to encrypt/decrypt), are compatible. The hash used in openssl changed at version 1.1.0 from MD5 to SHA256. This produces a different key from the same password. Fix: add '-md md5' in 1.1.0 to decrypt data from lower versions, and add '-md sha256 in lower versions to decrypt data from 1.1.0. The process of establishing a secure SSL/TLS connection involves several steps. SSL/TLS security protocols use a combination of asymmetric and symmetric encryption. The client and the server must negotiate the algorithms used and exchange key information.
Symptoms
Consider the following scenario:
- The Credential Security Support Provider protocol (CredSSP) updates for CVE-2018-0886 are applied to a Windows VM (remote server) in Microsoft Azure or on a local client.
- You try to make a remote desktop (RDP) connection to the server from the local client.
In this scenario, you receive the following error message:
An authentication error has occurred. The function requested is not supported. Remote computer: <computer name or IP>. This could be due to CredSSP encryption oracle remediation. For more information, see https://go.microsoft.com/fwlink/?linkid=866660.
How to verify that the CredSSP update is installed
Check the update history for the following updates, or check the version of TSpkg.dll.
Operating system | TSpkg.dll version with CredSSP update | CredSSP update |
---|---|---|
Windows 7 Service Pack 1 / Windows Server 2008 R2 Service Pack 1 | 6.1.7601.24117 | KB4103718 (Monthly Rollup) |
KB4103712 (Security-only update) | ||
Windows Server 2012 | 6.2.9200.22432 | KB4103730 (Monthly Rollup) |
KB4103726 (Security-only update) | ||
Windows 8.1 / Windows Sever 2012 R2 | 6.3.9600.18999 | KB4103725 (Monthly Rollup) |
KB4103715 (Security-only update) | ||
RS1 - Windows 10 Version 1607 / Windows Server 2016 | 10.0.14393.2248 | KB4103723 |
RS2 - Windows 10 Version 1703 | 10.0.15063.1088 | KB4103731 |
RS3 - Windows 10 1709 | 10.0.16299.431 | KB4103727 |
Cause
This error occurs if you are trying to establish an insecure RDP connection, and the insecure RDP connection is blocked by an Encryption Oracle Remediation policy setting on the server or client. This setting defines how to build an RDP session by using CredSSP, and whether an insecure RDP is allowed.
See the following interoperability matrix for scenarios that are either vulnerable to this exploit or cause operational failures.
- | - | Server | - | - | - |
---|---|---|---|---|---|
- | - | Updated | Force updated clients | Mitigated | Vulnerable |
Client | Updated | Allowed | Blocked2 | Allowed | Allowed |
Force updated clients | Blocked | Allowed | Allowed | Allowed | |
Mitigated | Blocked 1 | Allowed | Allowed | Allowed | |
Vulnerable | Allowed | Allowed | Allowed | Allowed |
Examples
1 The client has the CredSSP update installed, and Encryption Oracle Remediation is set to Mitigated. This client will not RDP to a server that does not have the CredSSP update installed.
2 The server has the CredSSP update installed, and Encryption Oracle Remediation is set to Force updated clients. The server will block any RDP connection from clients that do not have the CredSSP update installed.
Resolution
To resolve the issue, install CredSSP updates for both client and server so that RDP can be established in a secure manner. For more information, see CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability.
How to install this update by using Azure Serial console
- Sign in to the Azure portal, select Virtual Machine, and then select the VM.
- Scroll down to the Support + Troubleshooting section, and then click Serial console (Preview). The serial console requires Special Administrative Console (SAC) to be enabled within the Windows VM. If you do not see SAC> in the console (as shown in the following screenshot), go to the 'How to install the update by using Remote PowerShell' section in this article.
- Type
cmd
to start a channel that has a CMD instance. - Type
ch-si 1
to switch to the channel that is running the CMD instance. You receive the following output: - Press Enter, and then enter your login credentials that have administrative permission.
- After you enter valid credentials, the CMD instance opens, and you will see the command at which you can start troubleshooting.
- To start a PowerShell instance, type
PowerShell
. - In the PowerShell instance, run the Serial console scriptbased on the VM operating system. This script does the following:
- Create a folder in which to save the download file.
- Download the update.
- Install the update.
- Add the vulnerability key to allow non-updated clients to connect to the VM.
- Restart the VM
How to install this update by using Remote PowerShell
- On any Windows-based computer that has PowerShell installed, add the IP address of the VM to the 'trusted' list in the host file, as follows:
- In the Azure portal, configure Network Security Groups on the VM to allow traffic to port 5986.
- In the Azure portal, select Virtual Machine > < your VM >, scroll down to the OPERATIONS section, click the Run command, and then run EnableRemotePS.
- On the Windows-based computer, run the Remote PowerShell script for the appropriate system version of your VM. This script does the following:
- Connect to Remote PowerShell on the VM.
- Create a folder to which to save the download file.
- Download the Credssp update.
- Install the update.
- Set the vulnerability registry key to allow non-updated clients to connect to the VM.
- Enable Serial Console for future and easier mitigation.
- Restart the VM.
Workaround
Warning
After you change the following setting, an unsecure connection is allowed that will expose the remote server to attacks. Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.
Scenario 1: Updated clients cannot communicate with non-updated servers
The most common scenario is that the client has the CredSSP update installed, and the Encryption Oracle Remediation policy setting does not allow an insecure RDP connection to a server that does not have the CredSSP update installed.
To work around this issue, follow these steps:
Decrypt Mac Verify Failed For Connection Password
- On the client has the CredSSP update installed, run gpedit.msc, and then browse to Computer Configuration > Administrative Templates > System > Credentials Delegation in the navigation pane.
- Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.If you cannot use gpedit.msc, you can make the same change by using the registry, as follows:
- Open a Command Prompt window as Administrator.
- Run the following command to add a registry value:
Scenario 2: Non-updated clients cannot communicate with patched servers
If the Azure Windows VM has this update installed, and it is restricted to receiving non-updated clients, follow these steps to change the Encryption Oracle Remediation policy setting:
- On any Windows computer that has PowerShell installed, add the IP of the VM to the 'trusted' list in the host file:
- Go to the Azure portal, locate the VM, and then update the Network Security group to allow PowerShell ports 5985 and 5986.
- On the Windows computer, connect to the VM by using PowerShell:For HTTP:For HTTPS:
- Run the following command to change the Encryption Oracle Remediation policy setting by using the registry:
Azure Serial Console scripts
OS Version | Script |
---|---|
Windows 7 Service Pack 1 / Windows Server 2008 R2 Service Pack 1 | #Create a download location md c:temp ##Download the KB file $source = 'http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows6.1-kb4103718-x64_c051268978faef39e21863a95ea2452ecbc0936d.msu' $destination = 'c:tempwindows6.1-kb4103718-x64_c051268978faef39e21863a95ea2452ecbc0936d.msu' $wc = New-Object System.Net.WebClient $wc.DownloadFile($source,$destination) #Install the KB expand -F:* $destination C:temp dism /ONLINE /add-package /packagepath:'c:tempWindows6.1-KB4103718-x64.cab' #Add the vulnerability key to allow unpatched clients REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2 #Restart the VM to complete the installations/settings shutdown /r /t 0 /f |
Windows Server 2012 | #Create a download location md c:temp ##Download the KB file $source = 'http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/04/windows8-rt-kb4103730-x64_1f4ed396b8c411df9df1e6755da273525632e210.msu' $destination = 'c:tempwindows8-rt-kb4103730-x64_1f4ed396b8c411df9df1e6755da273525632e210.msu' $wc = New-Object System.Net.WebClient $wc.DownloadFile($source,$destination) #Install the KB expand -F:* $destination C:temp dism /ONLINE /add-package /packagepath:'c:tempWindows8-RT-KB4103730-x64.cab' #Add the vulnerability key to allow unpatched clients REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2 #Restart the VM to complete the installations/settings shutdown /r /t 0 /f |
Windows 8.1 / Windows Sever 2012 R2 | #Create a download location md c:temp ##Download the KB file $source = 'http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows8.1-kb4103725-x64_cdf9b5a3be2fd4fc69bc23a617402e69004737d9.msu' $destination = 'c:tempwindows8.1-kb4103725-x64_cdf9b5a3be2fd4fc69bc23a617402e69004737d9.msu' $wc = New-Object System.Net.WebClient $wc.DownloadFile($source,$destination) #Install the KB expand -F:* $destination C:temp dism /ONLINE /add-package /packagepath:'c:tempWindows8.1-KB4103725-x64.cab' #Add the vulnerability key to allow unpatched clients REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2 #Restart the VM to complete the installations/settings shutdown /r /t 0 /f |
RS1 - Windows 10 version 1607 / Windows Server 2016 | #Create a download location md c:temp ##Download the KB file $source = 'http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows10.0-kb4103723-x64_2adf2ea2d09b3052d241c40ba55e89741121e07e.msu' $destination = 'c:tempwindows10.0-kb4103723-x64_2adf2ea2d09b3052d241c40ba55e89741121e07e.msu' $wc = New-Object System.Net.WebClient $wc.DownloadFile($source,$destination) #Install the KB expand -F:* $destination C:temp dism /ONLINE /add-package /packagepath:'c:tempWindows10.0-KB4103723-x64.cab' #Add the vulnerability key to allow unpatched clients REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2 #Restart the VM to complete the installations/settings shutdown /r /t 0 /f |
RS2 - Windows 10 version 1703 | #Create a download location md c:temp ##Download the KB file $source = 'http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103731-x64_209b6a1aa4080f1da0773d8515ff63b8eca55159.msu' $destination = 'c:tempwindows10.0-kb4103731-x64_209b6a1aa4080f1da0773d8515ff63b8eca55159.msu' $wc = New-Object System.Net.WebClient $wc.DownloadFile($source,$destination) #Install the KB expand -F:* $destination C:temp dism /ONLINE /add-package /packagepath:'c:tempWindows10.0-KB4103731-x64.cab' #Add the vulnerability key to allow unpatched clients REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2 #Restart the VM to complete the installations/settings shutdown /r /t 0 /f |
RS3 - Windows 10 version 1709 / Windows Server 2016 version 1709 | #Create a download location md c:temp ##Download the KB file $source = 'http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103727-x64_c217e7d5e2efdf9ff8446871e509e96fdbb8cb99.msu' $destination = 'c:tempwindows10.0-kb4103727-x64_c217e7d5e2efdf9ff8446871e509e96fdbb8cb99.msu' $wc = New-Object System.Net.WebClient $wc.DownloadFile($source,$destination) #Install the KB expand -F:* $destination C:temp dism /ONLINE /add-package /packagepath:'c:tempWindows10.0-KB4103727-x64.cab' #Add the vulnerability key to allow unpatched clients REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2 #Restart the VM to complete the installations/settings shutdown /r /t 0 /f |
RS4 - Windows 10 1803 / Windows Server 2016 version 1803 | #Create a download location md c:temp ##Download the KB file $source = 'http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103721-x64_fcc746cd817e212ad32a5606b3db5a3333e030f8.msu' $destination = 'c:tempwindows10.0-kb4103721-x64_fcc746cd817e212ad32a5606b3db5a3333e030f8.msu' $wc = New-Object System.Net.WebClient $wc.DownloadFile($source,$destination) #Install the KB expand -F:* $destination C:temp dism /ONLINE /add-package /packagepath:'c:tempWindows10.0-KB4103721-x64.cab' #Add the vulnerability key to allow unpatched clients REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2 #Restart the VM to complete the installations/settings shutdown /r /t 0 /f |
Remote PowerShell scripts
OS Version | Script |
---|---|
Windows 7 Service Pack 1 / Windows Server 2008 R2 Service Pack 1 | #Set up your variables: $subscriptionID = ' #Log in to your subscription Add-AzureRmAccount Select-AzureRmSubscription -SubscriptionID $subscriptionID Set-AzureRmContext -SubscriptionID $subscriptionID #Connect to Remote Powerwhell $Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName $vmname -port $PSPort -Credential (Get-Credential) -useSSL -SessionOption $Skip #Create a download location md c:temp ##Download the KB file $source = 'http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows6.1-kb4103718-x64_c051268978faef39e21863a95ea2452ecbc0936d.msu' $destination = 'c:tempwindows6.1-kb4103718-x64_c051268978faef39e21863a95ea2452ecbc0936d.msu' $wc = New-Object System.Net.WebClient $wc.DownloadFile($source,$destination) #Install the KB expand -F:* $destination C:temp dism /ONLINE /add-package /packagepath:'c:tempWindows6.1-KB4103718-x64.cab' #Add the vulnerability key to allow unpatched clients REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2 #Set up Azure Serial Console flags cmd bcdedit /set {bootmgr} displaybootmenu yes bcdedit /set {bootmgr} timeout 5 bcdedit /set {bootmgr} bootems yes bcdedit /ems {current} on bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200 #Restart the VM to complete the installations/settings shutdown /r /t 0 /f |
Windows Server 2012 | #Set up your variables: $subscriptionID = ' #Log in to your subscription Add-AzureRmAccount Select-AzureRmSubscription -SubscriptionID $subscriptionID Set-AzureRmContext -SubscriptionID $subscriptionID #Connect to Remote Powerwhell $Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName $vmname -port $PSPort -Credential (Get-Credential) -useSSL -SessionOption $Skip #Create a download location md c:temp ##Download the KB file $source = 'http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/04/windows8-rt-kb4103730-x64_1f4ed396b8c411df9df1e6755da273525632e210.msu' $destination = 'c:tempwindows8-rt-kb4103730-x64_1f4ed396b8c411df9df1e6755da273525632e210.msu' $wc = New-Object System.Net.WebClient $wc.DownloadFile($source,$destination) #Install the KB expand -F:* $destination C:temp dism /ONLINE /add-package /packagepath:'c:tempWindows8-RT-KB4103730-x64.cab' #Add the vulnerability key to allow unpatched clients REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2 #Set up Azure Serial Console flags cmd bcdedit /set {bootmgr} displaybootmenu yes bcdedit /set {bootmgr} timeout 5 bcdedit /set {bootmgr} bootems yes bcdedit /ems {current} on bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200 #Restart the VM to complete the installations/settings shutdown /r /t 0 /f |
Windows 8.1 / Windows Sever 2012 R2 | #Set up your variables: $subscriptionID = ' #Log in to your subscription Add-AzureRmAccount Select-AzureRmSubscription -SubscriptionID $subscriptionID Set-AzureRmContext -SubscriptionID $subscriptionID #Connect to Remote Powerwhell $Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName $vmname -port $PSPort -Credential (Get-Credential) -useSSL -SessionOption $Skip #Create a download location md c:temp ##Download the KB file $source = 'http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows8.1-kb4103725-x64_cdf9b5a3be2fd4fc69bc23a617402e69004737d9.msu' $destination = 'c:tempwindows8.1-kb4103725-x64_cdf9b5a3be2fd4fc69bc23a617402e69004737d9.msu' $wc = New-Object System.Net.WebClient $wc.DownloadFile($source,$destination) #Install the KB expand -F:* $destination C:temp dism /ONLINE /add-package /packagepath:'c:tempWindows8.1-KB4103725-x64.cab' #Add the vulnerability key to allow unpatched clients REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2 #Set up Azure Serial Console flags cmd bcdedit /set {bootmgr} displaybootmenu yes bcdedit /set {bootmgr} timeout 5 bcdedit /set {bootmgr} bootems yes bcdedit /ems {current} on bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200 #Restart the VM to complete the installations/settings shutdown /r /t 0 /f |
RS1 - Windows 10 version 1607 / Windows Server 2016 | #Set up your variables: $subscriptionID = ' #Log in to your subscription Add-AzureRmAccount Select-AzureRmSubscription -SubscriptionID $subscriptionID Set-AzureRmContext -SubscriptionID $subscriptionID #Connect to Remote Powerwhell $Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName $vmname -port $PSPort -Credential (Get-Credential) -useSSL -SessionOption $Skip #Create a download location md c:temp ##Download the KB file $source = 'http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows10.0-kb4103723-x64_2adf2ea2d09b3052d241c40ba55e89741121e07e.msu' $destination = 'c:tempwindows10.0-kb4103723-x64_2adf2ea2d09b3052d241c40ba55e89741121e07e.msu' $wc = New-Object System.Net.WebClient $wc.DownloadFile($source,$destination) #Install the KB expand -F:* $destination C:temp dism /ONLINE /add-package /packagepath:'c:tempWindows10.0-KB4103723-x64.cab' #Add the vulnerability key to allow unpatched clients REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2 #Set up Azure Serial Console flags cmd bcdedit /set {bootmgr} displaybootmenu yes bcdedit /set {bootmgr} timeout 5 bcdedit /set {bootmgr} bootems yes bcdedit /ems {current} on bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200 #Restart the VM to complete the installations/settings shutdown /r /t 0 /f |
RS2 - Windows 10 version 1703 | #Set up your variables: $subscriptionID = ' #Log in to your subscription Add-AzureRmAccount Select-AzureRmSubscription -SubscriptionID $subscriptionID Set-AzureRmContext -SubscriptionID $subscriptionID #Connect to Remote Powerwhell $Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName $vmname -port $PSPort -Credential (Get-Credential) -useSSL -SessionOption $Skip #Create a download location md c:temp ##Download the KB file $source = 'http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103731-x64_209b6a1aa4080f1da0773d8515ff63b8eca55159.msu' $destination = 'c:tempwindows10.0-kb4103731-x64_209b6a1aa4080f1da0773d8515ff63b8eca55159.msu' $wc = New-Object System.Net.WebClient $wc.DownloadFile($source,$destination) #Install the KB expand -F:* $destination C:temp dism /ONLINE /add-package /packagepath:'c:tempWindows10.0-KB4103731-x64.cab' #Add the vulnerability key to allow unpatched clients REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2 #Set up Azure Serial Console flags cmd bcdedit /set {bootmgr} displaybootmenu yes bcdedit /set {bootmgr} timeout 5 bcdedit /set {bootmgr} bootems yes bcdedit /ems {current} on bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200 #Restart the VM to complete the installations/settings shutdown /r /t 0 /f |
RS3 - Windows 10 version 1709 / Windows Server 2016 version 1709 | #Set up your variables: $subscriptionID = ' #Log in to your subscription Add-AzureRmAccount Select-AzureRmSubscription -SubscriptionID $subscriptionID Set-AzureRmContext -SubscriptionID $subscriptionID #Connect to Remote Powerwhell $Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName $vmname -port $PSPort -Credential (Get-Credential) -useSSL -SessionOption $Skip #Create a download location md c:temp ##Download the KB file $source = 'http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103727-x64_c217e7d5e2efdf9ff8446871e509e96fdbb8cb99.msu' $destination = 'c:tempwindows10.0-kb4103727-x64_c217e7d5e2efdf9ff8446871e509e96fdbb8cb99.msu' $wc = New-Object System.Net.WebClient $wc.DownloadFile($source,$destination) #Install the KB expand -F:* $destination C:temp dism /ONLINE /add-package /packagepath:'c:tempWindows10.0-KB4103727-x64.cab' #Add the vulnerability key to allow unpatched clients REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2 #Set up Azure Serial Console flags cmd bcdedit /set {bootmgr} displaybootmenu yes bcdedit /set {bootmgr} timeout 5 bcdedit /set {bootmgr} bootems yes bcdedit /ems {current} on bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200 #Restart the VM to complete the installations/settings shutdown /r /t 0 /f |
RS4 - Windows 10 1803 / Windows Server 2016 version 1803 | #Set up your variables: $subscriptionID = ' #Log in to your subscription Add-AzureRmAccount Select-AzureRmSubscription -SubscriptionID $subscriptionID Set-AzureRmContext -SubscriptionID $subscriptionID #Connect to Remote Powerwhell $Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName $vmname -port $PSPort -Credential (Get-Credential) -useSSL -SessionOption $Skip #Create a download location md c:temp ##Download the KB file $source = 'http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103721-x64_fcc746cd817e212ad32a5606b3db5a3333e030f8.msu' $destination = 'c:tempwindows10.0-kb4103721-x64_fcc746cd817e212ad32a5606b3db5a3333e030f8.msu' $wc = New-Object System.Net.WebClient $wc.DownloadFile($source,$destination) #Install the KB expand -F:* $destination C:temp dism /ONLINE /add-package /packagepath:'c:tempWindows10.0-KB4103721-x64.cab' #Add the vulnerability key to allow unpatched clients REG ADD 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /v AllowEncryptionOracle /t REG_DWORD /d 2 #Set up Azure Serial Console flags cmd bcdedit /set {bootmgr} displaybootmenu yes bcdedit /set {bootmgr} timeout 5 bcdedit /set {bootmgr} bootems yes bcdedit /ems {current} on bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200 #Restart the VM to complete the installations/settings shutdown /r /t 0 /f |
Mac computers that have the Apple T2 Security Chip integrate security into both software and hardware to provide encrypted-storage capabilities. Data on the built-in, solid-state drive (SSD) is encrypted using a hardware-accelerated AES engine built into the T2 chip. This encryption is performed with 256-bit keys tied to a unique identifier within the T2 chip.
The advanced encryption technology integrated into the T2 chip provides line-speed encryption, but it also means that if the portion of the T2 chip containing your encryption keys becomes damaged, you might need to restore the content of your drive from a backup. This content includes system files, apps, accounts, preferences, music, photos, movies, and documents.
Always back up your content to a secure external drive or other secure backup location so that you can restore it, if necessary. You should also turn on FileVault for additional security, because without FileVault enabled, your encrypted SSDs automatically mount and decrypt when connected to your Mac.
Make a backup
Decrypt Mac Verify Failed For Connection Windows 7
Set up Time Machine or another backup method to regularly back up your Mac to a secure external source.
Files that you store in iCloud Drive, as well as photos and videos that you store in iCloud Photo Library, are automatically uploaded to iCloud. When you use iCloud Photo Library, full-resolution photos and videos are stored on your Mac by default and included in a Time Machine backup. If you choose to optimize iCloud Photo Library on your Mac, the full-resolution originals are not included in a Time Machine backup.
Turn on FileVault
Though the SSD in computers that have the Apple T2 Security Chip is encrypted, you should turn on FileVault so that your Mac requires a password to decrypt your data.
Cisco Decrypt Mac Verify Failed For Connection
To turn on FileVault, follow these steps:
Decrypt Mac Verify Failed For Connection Windows 10
- Choose Apple menu () > System Preferences, then click Security & Privacy.
- Click the FileVault tab.
- Click , then enter an administrator name and password.
- Click Turn On FileVault.