Unfortunately because we don’t support all of our customers for their entire server estate (though we would like to!) we have had an issue recently since the May updates where some servers are getting patched and others are not.  This means that patched servers are unable to remote desktop to unpatched servers because of the credssp encryption oracle remediation – it usually provides an authentication error when trying to logon, something like this:

Its not the most helpful as if you only have remote access you cant get on the servers to patch them!  So through various troubleshooting I realized that the Network Level Authentication (NLA) setting on the end computer could be removed thus enabling temporary access to patch the affected server.  So how to do that remotely without console access? https://www.petri.com/disable-remote-desktop-network-level-authentication-using-powershell to the rescue.  Note you must have network connectivity to the machine.

$computername = “ServerWithOutPatch”

(Get-WmiObject -class Win32_TSGeneralSetting -Namespace root\cimv2\terminalservices -ComputerName $ComputerName -Filter “TerminalName=’RDP-tcp'”).UserAuthenticationRequired

This should give you back “1” which means NLA is enabled.

To disable it run:

(Get-WmiObject -class Win32_TSGeneralSetting -Namespace root\cimv2\terminalservices -ComputerName $ComputerName -Filter “TerminalName=’RDP-tcp'”).SetUserAuthenticationRequired(0)

If you run the original get again you will see this has changed to 0.  Now you should be able to get on and patch!  Don’t forget to turn NLA back on again after.

Hope it helps!

About the author