Policy
Encryption Oracle Remediation
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016, WindowsVista
Encryption Oracle Remediation This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability. If you enable this policy setting, CredSSP version support will be selected based on the following options: Force Updated Clients: Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients. Note: this setting should not be deployed until all remote hosts support the newest version. Mitigated: Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients. Vulnerable: Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients. For more information about the vulnerability and servicing requirements for protection, see https://go.microsoft.com/fwlink/?linkid=866660
Registry values
How enabled and disabled states update the registry.
No explicit registry values are set for enabled or disabled states.
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
Protection Level: ID AllowEncryptionOracleDrop | enum | HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\AllowEncryptionOracle Type REG_DWORD | Options: Force Updated Clients (0), Mitigated (1), Vulnerable (2) |
Other policies in this category
Explore related policies at the same level.
- ComputerAllow delegating default credentialsAt least Windows Vista
- ComputerAllow delegating default credentials with NTLM-only server authenticationAt least Windows Vista
- ComputerAllow delegating fresh credentialsAt least Windows Vista
- ComputerAllow delegating fresh credentials with NTLM-only server authenticationAt least Windows Vista
- ComputerAllow delegating saved credentialsAt least Windows Vista
- ComputerAllow delegating saved credentials with NTLM-only server authenticationAt least Windows Vista
- ComputerDeny delegating default credentialsAt least Windows Vista
- ComputerDeny delegating fresh credentialsAt least Windows Vista
- ComputerDeny delegating saved credentialsAt least Windows Vista
- ComputerRemote host allows delegation of non-exportable credentialsAt least Windows Server 2016, Windows 10 Version 1703
- ComputerRestrict delegation of credentials to remote serversAt least Windows Server 2012 R2, Windows 8.1 or Windows RT 8.1