CredSSP updates for CVE-2018-0886
That Monday morning issue when servers were patched on a Sunday… All Windows 10 clients fail to RDP to the RDS server following Windows Server Patching.
“By default, after this update is installed, patched clients cannot communicate with unpatched servers. Use the interoperability matrix and group policy settings described in this article to enable an “allowed” configuration.”
Temp Solution until clients are patched
Create a registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters
CredSSP and Parameters keys had to be created
Create the AllowEncryptionOracle DWORD and give it a value of 2
or Command lined:
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
Tested on Windows 7 and Windows 10.
No reboot required.
Note this reduces the security the patch was put in to fix
See an advert of interest, CLICK IT! This site is funded by AD clicks.
We have and RDS cluster everythings is working fine.
We use roaming profiles, redirection to a share is working as well.
When a user logs on to any RDS node we can see a user folder appear in E:\Users\ of the RDS Server.
When I checked the registry, and i can see 2 keys about profiles :
– you can see that the redirection is OK : Centralprofile (in my exemple \\Sharename\…)
– you can see a ProfileImagePath to E:\Users
So what is :
– A ProfileImagePath ?
– A CentralProfile ?
E:\Users\<username> is the local cache of the roaming profile. I’ve never seen a setting to avoid caching of the profile on the local system entirely.
There is a group policy setting to automatically delete the cached copy upon user logout. It’s under Computer Configuation->Policies->Administrative Templates->System->UserProfiles->Delete cached copies of roaming profiles.
Plus side : This avoids disk space from caching the users profiles
It will probably increase the logon time as the full profile will have to copy every time.
When testing, this also cleared out the cache from a custom application which didnt right back to the roaming profile.
Tested on Windows 2008 R2
Create a GPO – “Add the Administrator security group to roaming users profiles”
Computer Configuration > Policies > Administrative Templates > System > User Profiles” and applied to Windows XP / 2003 or later.
This setting adds the administrator ACL to the users roaming profile path on the server when it is first created.
Administrator are able to view users profiles without the need to take ownership
Enable this option as soon as possible as this setting does NOT apply retrospectively to existing users profiles as it only applied the administrators group to the profile when the roaming profile when it is created on the server for the first time.
Original detail posted by Alan Burchill
Some of our users keep getting logged on with a temporary profile.
We have an RDS cluster using Window 2008 R2 x64 and users are setup with roaming profiles.
Profiles going to \\server\users\%username% Intermittently the folder is being created in the profile share but the folder is empty.
Permissions checked ok Shares checked ok
Possibly caused by a server crash corrupting the profiles instead of a natural logoff allowing the profile to write back.
Browse the registry on your terminal server under : LM\software\Microsoft\Windows NT\CurrentVerision\ProfileList
Look for any keys under ProfileList with an extension “.bat”
Select key and click delete (export or backup any keys before making changes or deletions first.)
Solution found here : http://www.brianmadden.com/
How to put a Terminal Services server in Install mode.
You will need to switch to install mode, to install or remove programs on a terminal server.
The method I use the most is :
Open command prompt as administrator
Type: change user /install
This will change the server to install mode.
Now your ready to install applications.
Switch Terminal Services to Execute Mode, when you are finished adding or removing programs.
Open command prompt as administrator
Type: change user /execute
Users can now log in and start using the new applications