logobossshoppe

After Windows Update, I get this error when trying to connect to a server using Remote Desktop Connection.

• Remote Desktop Error Code 0x609

When read the link provided by error message, it seems because of an update at 2018/05/08:

I need to connect to a Win2008R2 RDP Remote App server using various client platforms, especially Win7, Android and iOS. On all cases, I'm using the official Microsoft's apps/programs to connect to. This is one of those rare cases where the accepted answer is also the best answer. Other answers leave you vulnerable to CVE-2018-0886: 'A remote code execution vulnerability exists in unpatched versions of CredSSP. An attacker who successfully exploits this vulnerability could relay user credentials to execute code on the target system.

May 8, 2018

An update to change the default setting from Vulnerable to Mitigated.

Related Microsoft Knowledge Base numbers are listed in CVE-2018-0886.

Is there a solution for this?

Peter MortensenPham X. BachPham X. Bach

migrated from stackoverflow.comMay 10 '18 at 10:13

This question came from our site for professional and enthusiast programmers.

13 Answers

(Posted an answer on behalf of the question author).

As in some answers, the best solution for this error is to update both server and clients to version >= the 2018-05-08 update from Microsoft.

If you cannot update both of them (i.e. you can only update client or server) then you could apply one of the workarounds from the answers below, and change the configuration back ASAP so that you minimise the duration of the vulnerability introduced by the workaround.

I found one solution. As described in the help link, I tried roll back from update 2018/05/08 by changing the value of this group policy:

• Run gpedit.msc

• Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Encryption Oracle Remediation

Change it to Enable and in Protection level, change back to Vulnerable.

I am not sure if it may rollback any risk of an attacker exploiting my connection. I hope Microsoft will fix this soon so I could restore the setting to the recommend setting Mitigated.

Pham X. BachPham X. Bach

Another way is install Microsoft Remote Desktop client from MS Store - https://www.microsoft.com/en-us/store/p/microsoft-remote-desktop/9wzdncrfj3ps

This problem only happens in my Hyper-V VM, and remoting to physical machines is OK.

Go to This PC → System Settings → Advanced System Settings on the server and then I solved it by unchecking target VM 'allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)'.

Peter Mortensen

Following ac19501's answer I have created two registry files to make this easier:

rdp_insecure_on.reg

rdp_insecure_off.reg

I came across the same issues. The better solution would be to update the machine you are connecting to instead of using Pham X Bach answer to lower security level.

However, if you cannot update the machine for some reason his workaround works.

Peter Mortensen

You need to install a Windows Update for the server and all clients. To look for the update, go to https://portal.msrc.microsoft.com/en-us/security-guidance, then search for the 2018-0886 CVE and choose the Security Update for the version of Windows installed.

You need to update your Windows Server using Windows Update. All required patches will be installed. Then you can connect to your server via Remote Desktop again.

Remote Desktop Error Code 0x609

You need to install kb4103725

Read more at:https://support.microsoft.com/en-us/help/4103725/windows-81-update-kb4103725

For servers, we can also change the setting via Remote PowerShell (assuming WinRM is enabled, etc..)

Now, if this setting is managed by a domain GPO, it's possible that it'll revert, so you need to check the GPOs. But for a quick fix, this works.

Reference: https://www.petri.com/disable-remote-desktop-network-level-authentication-using-powershell

Update on GPO example on print screen.

Based on the answer 'reg add 'HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters' /f /v AllowEncryptionOracle /t REG_DWORD /d 2'

Key Path: SoftwareMicrosoftWindowsCurrentVersionPoliciesSystemCredSSPParameters
Value Name: AllowEncryptionOracle
Value data: 2

Another option if you have access to the command-line (we have an SSH server running on the box) is to run 'sconfig.cmd' from the command line. You get a menu like below:

Choose option 7, and turn it on for all clients, not just secure.

Once that's done, you can remote desktop in. It looks like for us the problem was our client systems got updated for the new security, but our server boxes were behind on updates. I'd suggest getting the updates and then turning this security setting back on.

Peter Mortensen

Uninstall:

• For Windows 7 and 8.1: KB4103718 and/or KB4093114
• For Windows 10: KB4103721 and/or KB4103727 server without updates

This update contains a patch for vulnerability CVE-2018-0886. On a non-patched server it lets them in without them.

Peter Mortensen

Not the answer you're looking for? Browse other questions tagged remote-desktop or ask your own question.

I doubt this a 'problem' with the mac as such nor does it have anything to do with Remote Desktop for Mac which is an entirely different product and for which this forum is for. Questions about RDC for Mac should be put on the relevant Microsoft forum rather than here. However your problem may be with your understanding of the secure remote connections requirements between your server and remote connections. I doubt you'd be aware of any of this as generally server administrators won't necessarily discuss them. By default a mac will not have server-client trust certificates installed simply because the exchange won't happen transparently between an MS based server and non MS-OS such as OS X.

Vivaldi how to clear history.

You begin to solve the problem by asking your server administrator for the server's root certificate. He/she has to export this using the built-in tools. They should know how to do this? Once exported save it to a memory stick, insert it into your mac, double click on the .cer file and when prompted install it as a system keychain. On further prompts make sure you select 'Always Trust'. Launch RDC for Mac and you should be OK?

If your server administrator does not know how or, worse still, won't do this for you, then you have far deeper problems that go well beyond OS X in particular and IT as a whole in general.