"CredSSP encryption oracle remediation" error when you try to RDP to a Windows VM in Azure

Applies to: Azure

Symptoms


Consider the following scenario:

In this scenario, you receive the following error message: 

How to verify that the CredSSP update is installed


Check the update history for the following updates, or check the version of TSpkg.dll.

Operating system TSpkg.dll version with CredSSP update CredSSP update
Windows 7 Service Pack 1 / Windows Server 2008 R2 Service Pack 1 6.1.7601.24117 KB4103718 (Monthly Rollup)
KB4103712 (Security-only update)
Windows Server 2012 6.2.9200.22432 KB4103730 (Monthly Rollup)
KB4103726 (Security-only update)
Windows 8.1 / Windows Sever 2012 R2 6.3.9600.18999 KB4103725 (Monthly Rollup)
KB4103715 (Security-only update)
RS1 - Windows 10 Version 1607 / Windows Server 2016 10.0.14393.2248 KB4103723
RS2 - Windows 10 Version 1703 10.0.15063.1088 KB4103731
RS3 - Windows 10 1709 10.0.16299.431 KB4103727

Cause


This error occurs if you are trying to establish an insecure RDP connection, and the insecure RDP connection is blocked by an Encryption Oracle Remediation policy setting on the server or client. This setting defines how to build an RDP session by using CredSSP, and whether an insecure RDP is allowed.

See the following interoperability matrix for scenarios that are either vulnerable to this exploit or cause operational failures.

    Server
    Updated Force updated clients Mitigated Vulnerable
Client Updated Allowed Blocked2 Allowed Allowed
Force updated clients Blocked Allowed Allowed Allowed
Mitigated Blocked1 Allowed Allowed Allowed
Vulnerable Allowed Allowed Allowed Allowed

Examples
 

The client has the CredSSP update installed, and Encryption Oracle Remediation is set to Mitigated. This client will not RDP to a server that does not have the CredSSP update installed.

The server has the CredSSP update installed, and Encryption Oracle Remediation is set to Force updated clients. The server will block any RDP connection from clients that do not have the CredSSP update installed.

Resolution


To resolve the issue, install CredSSP updates for both client and server so that RDP can be established in a secure manner. For more information, see CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability.

How to install this update by using Azure Serial console

  1. Sign in to the Azure portal, select Virtual Machine, and then select the VM.
  2. Scroll down to the Support + Troubleshooting section, and then click Serial console (Preview)The serial console requires Special Administrative Console (SAC) to be enabled within the Windows VM. If you do not see SAC> in the console (as shown in the following screen shot), go to the "How to install the update by using Remote PowerShell" section in this article.

    The image about SAC is connected

  1. Type cmd to start a channel that has a CMD instance.
  2. Type ch-si 1 to switch to the channel that is running the CMD instance. You receive the following output:

    The image about launch CMD in SAC
  3. Press Enter, and then enter your login credentials that have administrative permission.
  4. After you enter valid credentials, the CMD instance opens, and you will see the command at which you can start troubleshooting.

    The image  about CMD section in SAC
  5. To start a PowerShell instance, typePowerShell.
  6. In the PowerShell instance, run the Serial console script based on the VM operating system. This script does the following: 
     
    • Create a folder in which to save the download file.
    • Download the update.
    • Install the update.
    • Add the vulnerability key to allow non-updated clients to connect to the VM.
    • Restart the VM

How to install this update by using Remote PowerShell 

  1. On any Windows-based computer that has PowerShell installed, add the IP address of the VM to the "trusted" list in the host file, as follows:
    Set-item wsman:\localhost\Client\TrustedHosts -value <IP>
  2. In the Azure portal, configure Nework Security Groups on the VM to allow traffic to port 5986.
  3. In the Azure portal, select Virtual Machine > <your VM>, scroll down to the OPERATIONS section, click the Run command, and then run EnableRemotePS. 
  4. On the Windows-based computer, run the Remote PowerShell script for the appropriate system version of your VM. This script does the following:
    • Connect to Remote PowerShell on the VM.
    • Create a folder to which to save the download file.
    • Download the Credssp update.
    • Install the update.
    • Set the vulnerability registry key to allow non-updated clients to connect to the VM.
    • Enable Serial Console for future and easier mitigation.
    • Restart the VM.

Workaround


Scenario 1: Updated clients cannot communicate with non-updated servers

The most common scenario is that the client has the CredSSP update installed, and the Encryption Oracle Remediation policy setting does not allow an insecure RDP connection to a server that does not have the CredSSP update installed.

To work around this issue, follow these steps:

  1. On the client has the CredSSP update installed, run gpedit.msc, and then browse to Computer Configuration > Administrative Templates > System > Credentials Delegation in the navigation pane. 
  2. Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.

If you cannot use gpedit.msc, you can make the same change by using the registry, as follows:

  1. Open a Command Prompt window as Administrator.
  2. Run the following command to add a registry value:
    REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2


Scenario 2: Non-updated clients cannot communicate with patched servers

If the Azure Windows VM has this update installed, and it is restricted to receiving non-updated clients, follow these steps to change the Encryption Oracle Remediation policy setting:

  1. On any Windows computer that has PowerShell installed, add the IP of the VM to the "trusted" list in the host file:
    Set-item wsman:\localhost\Client\TrustedHosts -value <IP>
  2. Go to the Azure portal, locate the VM, and then update the Network Security group to allow PowerShell ports 5985 and 5986.
  3. On the Windows computer, connect to the VM by using PowerShell:
    For HTTP:
    $Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "<<Public IP>>" -port "5985" -Credential (Get-Credential) -SessionOption $Skip

    For HTTPS:
    $Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "<<Public IP>>" -port "5986" -Credential (Get-Credential) -useSSL -SessionOption $Skip
  4. Run the following command to change the Encryption Oracle Remediation policy setting by using the registry:
    Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord

Azure Serial Console scripts


 

OS Version

Script

Windows 7 Service Pack 1 / Windows Server 2008 R2 Service Pack 1

#Create a download location
md c:\temp

##Download the KB file
$source = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows6.1-kb4103718-x64_c051268978faef39e21863a95ea2452ecbc0936d.msu"
$destination = "c:\temp\windows6.1-kb4103718-x64_c051268978faef39e21863a95ea2452ecbc0936d.msu"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($source,$destination)

#Install the KB
expand -F:* $destination C:\temp\
dism /ONLINE /add-package /packagepath:"c:\temp\Windows6.1-KB4103718-x64.cab"

#Add the vulnerability key to allow unpatched clients
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2

#Restart the VM to complete the installations/settings
shutdown /r /t 0 /f

Windows Server 2012

#Create a download location
md c:\temp

##Download the KB file
$source = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/04/windows8-rt-kb4103730-x64_1f4ed396b8c411df9df1e6755da273525632e210.msu"
$destination = "c:\temp\windows8-rt-kb4103730-x64_1f4ed396b8c411df9df1e6755da273525632e210.msu"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($source,$destination)

#Install the KB
expand -F:* $destination C:\temp\
dism /ONLINE /add-package /packagepath:"c:\temp\Windows8-RT-KB4103730-x64.cab"

#Add the vulnerability key to allow unpatched clients
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2

#Restart the VM to complete the installations/settings
shutdown /r /t 0 /f

Windows 8.1 / Windows Sever 2012 R2

#Create a download location
md c:\temp

##Download the KB file
$source = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows8.1-kb4103725-x64_cdf9b5a3be2fd4fc69bc23a617402e69004737d9.msu"
$destination = "c:\temp\windows8.1-kb4103725-x64_cdf9b5a3be2fd4fc69bc23a617402e69004737d9.msu"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($source,$destination)

#Install the KB
expand -F:* $destination C:\temp\
dism /ONLINE /add-package /packagepath:"c:\temp\Windows8.1-KB4103725-x64.cab"

#Add the vulnerability key to allow unpatched clients
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2

#Restart the VM to complete the installations/settings
shutdown /r /t 0 /f

RS1 - Windows 10 version 1607 / Windows Server 2016

#Create a download location
md c:\temp

##Download the KB file
$source = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows10.0-kb4103723-x64_2adf2ea2d09b3052d241c40ba55e89741121e07e.msu"
$destination = "c:\temp\windows10.0-kb4103723-x64_2adf2ea2d09b3052d241c40ba55e89741121e07e.msu"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($source,$destination)

#Install the KB
expand -F:* $destination C:\temp\
dism /ONLINE /add-package /packagepath:"c:\temp\Windows10.0-KB4103723-x64.cab"

#Add the vulnerability key to allow unpatched clients
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2

#Restart the VM to complete the installations/settings
shutdown /r /t 0 /f

RS2 - Windows 10 version 1703

#Create a download location
md c:\temp

##Download the KB file
$source = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103731-x64_209b6a1aa4080f1da0773d8515ff63b8eca55159.msu"
$destination = "c:\temp\windows10.0-kb4103731-x64_209b6a1aa4080f1da0773d8515ff63b8eca55159.msu"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($source,$destination)

#Install the KB
expand -F:* $destination C:\temp\
dism /ONLINE /add-package /packagepath:"c:\temp\Windows10.0-KB4103731-x64.cab"

#Add the vulnerability key to allow unpatched clients
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2

#Restart the VM to complete the installations/settings
shutdown /r /t 0 /f

RS3 - Windows 10 version 1709 / Windows Server 2016 version 1709

#Create a download location
md c:\temp

##Download the KB file
$source = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103727-x64_c217e7d5e2efdf9ff8446871e509e96fdbb8cb99.msu"
$destination = "c:\temp\windows10.0-kb4103727-x64_c217e7d5e2efdf9ff8446871e509e96fdbb8cb99.msu"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($source,$destination)

#Install the KB
expand -F:* $destination C:\temp\
dism /ONLINE /add-package /packagepath:"c:\temp\Windows10.0-KB4103727-x64.cab"

#Add the vulnerability key to allow unpatched clients
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2

#Restart the VM to complete the installations/settings
shutdown /r /t 0 /f

RS4 - Windows 10 1803 / Windows Server 2016 version 1803

#Create a download location
md c:\temp

##Download the KB file
$source = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103721-x64_fcc746cd817e212ad32a5606b3db5a3333e030f8.msu"
$destination = "c:\temp\windows10.0-kb4103721-x64_fcc746cd817e212ad32a5606b3db5a3333e030f8.msu"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($source,$destination)

#Install the KB
expand -F:* $destination C:\temp\
dism /ONLINE /add-package /packagepath:"c:\temp\Windows10.0-KB4103721-x64.cab"

#Add the vulnerability key to allow unpatched clients
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2

#Restart the VM to complete the installations/settings
shutdown /r /t 0 /f

Remote PowerShell scripts


 

OS Version

Script

Windows 7 Service Pack 1 / Windows Server 2008 R2 Service Pack 1

#Set up your variables:
$subscriptionID = "<your subscription ID>"
$vmname = "<IP of your machine or FQDN>"
$PSPort = "5986" #change this variable if you customize HTTPS on powershell to another port

#​​​​Log in to your subscription
Add-AzureRmAccount
Select-AzureRmSubscription -SubscriptionID $subscriptionID
Set-AzureRmContext -SubscriptionID $subscriptionID

#Connect to Remote Powerwhell
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck
Enter-PSSession -ComputerName $vmname -port $PSPort -Credential (Get-Credential) -useSSL -SessionOption $Skip

#Create a download location
md c:\temp

##Download the KB file
$source = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows6.1-kb4103718-x64_c051268978faef39e21863a95ea2452ecbc0936d.msu"
$destination = "c:\temp\windows6.1-kb4103718-x64_c051268978faef39e21863a95ea2452ecbc0936d.msu"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($source,$destination)

#Install the KB
expand -F:* $destination C:\temp\
dism /ONLINE /add-package /packagepath:"c:\temp\Windows6.1-KB4103718-x64.cab"

#Add the vulnerability key to allow unpatched clients
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2

#Set up Azure Serial Console flags
cmd
bcdedit /set {bootmgr} displaybootmenu yes
bcdedit /set {bootmgr} timeout 5
bcdedit /set {bootmgr} bootems yes
bcdedit /ems {current} on
bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200 

#Restart the VM to complete the installations/settings
shutdown /r /t 0 /f

Windows Server 2012

#Set up your variables:
$subscriptionID = "<your subscription ID>"
$vmname = "<IP of your machine or FQDN>"
$PSPort = "5986" #change this variable if you customize HTTPS on powershell to another port

#​​​​Log in to your subscription
Add-AzureRmAccount
Select-AzureRmSubscription -SubscriptionID $subscriptionID
Set-AzureRmContext -SubscriptionID $subscriptionID

#Connect to Remote Powerwhell
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck
Enter-PSSession -ComputerName $vmname -port $PSPort -Credential (Get-Credential) -useSSL -SessionOption $Skip

#Create a download location
md c:\temp

##Download the KB file
$source = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/04/windows8-rt-kb4103730-x64_1f4ed396b8c411df9df1e6755da273525632e210.msu"
$destination = "c:\temp\windows8-rt-kb4103730-x64_1f4ed396b8c411df9df1e6755da273525632e210.msu"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($source,$destination)

#Install the KB
expand -F:* $destination C:\temp\
dism /ONLINE /add-package /packagepath:"c:\temp\Windows8-RT-KB4103730-x64.cab"

#Add the vulnerability key to allow unpatched clients
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2

#Set up Azure Serial Console flags
cmd
bcdedit /set {bootmgr} displaybootmenu yes
bcdedit /set {bootmgr} timeout 5
bcdedit /set {bootmgr} bootems yes
bcdedit /ems {current} on
bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200 

#Restart the VM to complete the installations/settings
shutdown /r /t 0 /f

Windows 8.1 / Windows Sever 2012 R2

#Set up your variables:
$subscriptionID = "<your subscription ID>"
$vmname = "<IP of your machine or FQDN>"
$PSPort = "5986" #change this variable if you customize HTTPS on powershell to another port

#​​​​Log in to your subscription
Add-AzureRmAccount
Select-AzureRmSubscription -SubscriptionID $subscriptionID
Set-AzureRmContext -SubscriptionID $subscriptionID

#Connect to Remote Powerwhell
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck
Enter-PSSession -ComputerName $vmname -port $PSPort -Credential (Get-Credential) -useSSL -SessionOption $Skip

#Create a download location
md c:\temp

##Download the KB file
$source = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows8.1-kb4103725-x64_cdf9b5a3be2fd4fc69bc23a617402e69004737d9.msu"
$destination = "c:\temp\windows8.1-kb4103725-x64_cdf9b5a3be2fd4fc69bc23a617402e69004737d9.msu"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($source,$destination)

#Install the KB
expand -F:* $destination C:\temp\
dism /ONLINE /add-package /packagepath:"c:\temp\Windows8.1-KB4103725-x64.cab"

#Add the vulnerability key to allow unpatched clients
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2

#Set up Azure Serial Console flags
cmd
bcdedit /set {bootmgr} displaybootmenu yes
bcdedit /set {bootmgr} timeout 5
bcdedit /set {bootmgr} bootems yes
bcdedit /ems {current} on
bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200 

#Restart the VM to complete the installations/settings
shutdown /r /t 0 /f

RS1 - Windows 10 version 1607 / Windows Server 2016

#Set up your variables:
$subscriptionID = "<your subscription ID>"
$vmname = "<IP of your machine or FQDN>"
$PSPort = "5986" #change this variable if you customize HTTPS on powershell to another port

#​​​​Log in to your subscription
Add-AzureRmAccount
Select-AzureRmSubscription -SubscriptionID $subscriptionID
Set-AzureRmContext -SubscriptionID $subscriptionID

#Connect to Remote Powerwhell
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck
Enter-PSSession -ComputerName $vmname -port $PSPort -Credential (Get-Credential) -useSSL -SessionOption $Skip

#Create a download location
md c:\temp

##Download the KB file
$source = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/05/windows10.0-kb4103723-x64_2adf2ea2d09b3052d241c40ba55e89741121e07e.msu"
$destination = "c:\temp\windows10.0-kb4103723-x64_2adf2ea2d09b3052d241c40ba55e89741121e07e.msu"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($source,$destination)

#Install the KB
expand -F:* $destination C:\temp\
dism /ONLINE /add-package /packagepath:"c:\temp\Windows10.0-KB4103723-x64.cab"

#Add the vulnerability key to allow unpatched clients
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2

#Set up Azure Serial Console flags
cmd
bcdedit /set {bootmgr} displaybootmenu yes
bcdedit /set {bootmgr} timeout 5
bcdedit /set {bootmgr} bootems yes
bcdedit /ems {current} on
bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200 

#Restart the VM to complete the installations/settings
shutdown /r /t 0 /f

RS2 - Windows 10 version 1703

#Set up your variables:
$subscriptionID = "<your subscription ID>"
$vmname = "<IP of your machine or FQDN>"
$PSPort = "5986" #change this variable if you customize HTTPS on powershell to another port

#​​​​Log in to your subscription
Add-AzureRmAccount
Select-AzureRmSubscription -SubscriptionID $subscriptionID
Set-AzureRmContext -SubscriptionID $subscriptionID

#Connect to Remote Powerwhell
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck
Enter-PSSession -ComputerName $vmname -port $PSPort -Credential (Get-Credential) -useSSL -SessionOption $Skip

#Create a download location
md c:\temp

##Download the KB file
$source = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103731-x64_209b6a1aa4080f1da0773d8515ff63b8eca55159.msu"
$destination = "c:\temp\windows10.0-kb4103731-x64_209b6a1aa4080f1da0773d8515ff63b8eca55159.msu"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($source,$destination)

#Install the KB
expand -F:* $destination C:\temp\
dism /ONLINE /add-package /packagepath:"c:\temp\Windows10.0-KB4103731-x64.cab"

#Add the vulnerability key to allow unpatched clients
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2

#Set up Azure Serial Console flags
cmd
bcdedit /set {bootmgr} displaybootmenu yes
bcdedit /set {bootmgr} timeout 5
bcdedit /set {bootmgr} bootems yes
bcdedit /ems {current} on
bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200 

#Restart the VM to complete the installations/settings
shutdown /r /t 0 /f

RS3 - Windows 10 version 1709 / Windows Server 2016 version 1709

#Set up your variables:
$subscriptionID = "<your subscription ID>"
$vmname = "<IP of your machine or FQDN>"
$PSPort = "5986" #change this variable if you customize HTTPS on powershell to another port

#​​​​Log in to your subscription
Add-AzureRmAccount
Select-AzureRmSubscription -SubscriptionID $subscriptionID
Set-AzureRmContext -SubscriptionID $subscriptionID

#Connect to Remote Powerwhell
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck
Enter-PSSession -ComputerName $vmname -port $PSPort -Credential (Get-Credential) -useSSL -SessionOption $Skip

#Create a download location
md c:\temp

##Download the KB file
$source = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103727-x64_c217e7d5e2efdf9ff8446871e509e96fdbb8cb99.msu"
$destination = "c:\temp\windows10.0-kb4103727-x64_c217e7d5e2efdf9ff8446871e509e96fdbb8cb99.msu"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($source,$destination)

#Install the KB
expand -F:* $destination C:\temp\
dism /ONLINE /add-package /packagepath:"c:\temp\Windows10.0-KB4103727-x64.cab"

#Add the vulnerability key to allow unpatched clients
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2

#Set up Azure Serial Console flags
cmd
bcdedit /set {bootmgr} displaybootmenu yes
bcdedit /set {bootmgr} timeout 5
bcdedit /set {bootmgr} bootems yes
bcdedit /ems {current} on
bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200 

#Restart the VM to complete the installations/settings
shutdown /r /t 0 /f

RS4 - Windows 10 1803 / Windows Server 2016 version 1803

#Set up your variables:
$subscriptionID = "<your subscription ID>"
$vmname = "<IP of your machine or FQDN>"
$PSPort = "5986" #change this variable if you customize HTTPS on powershell to another port

#​​​​Log in to your subscription
Add-AzureRmAccount
Select-AzureRmSubscription -SubscriptionID $subscriptionID
Set-AzureRmContext -SubscriptionID $subscriptionID

#Connect to Remote Powerwhell
$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck
Enter-PSSession -ComputerName $vmname -port $PSPort -Credential (Get-Credential) -useSSL -SessionOption $Skip

#Create a download location
md c:\temp

##Download the KB file
$source = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103721-x64_fcc746cd817e212ad32a5606b3db5a3333e030f8.msu"
$destination = "c:\temp\windows10.0-kb4103721-x64_fcc746cd817e212ad32a5606b3db5a3333e030f8.msu"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($source,$destination)

#Install the KB
expand -F:* $destination C:\temp\
dism /ONLINE /add-package /packagepath:"c:\temp\Windows10.0-KB4103721-x64.cab"

#Add the vulnerability key to allow unpatched clients
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2

#Set up Azure Serial Console flags
cmd
bcdedit /set {bootmgr} displaybootmenu yes
bcdedit /set {bootmgr} timeout 5
bcdedit /set {bootmgr} bootems yes
bcdedit /ems {current} on
bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200 

#Restart the VM to complete the installations/settings
shutdown /r /t 0 /f