CredSSP Registry key keeps reverting
I am not pro. Just a starter, so please ignore anything that does not seem the way it should be.
I am patching a vulnerability CredSSP Remote code execution
Whenever I change AllowEncryptionOracle DWORD value to 1 to mitigate the issue. But it keeps on reverting to 2. I am quite sure that this is GPO changing it. My question is how to check it. I went to event viewer, then in the security, I can see the part where it shows that I changed the value of the key in the registry but it does not show anywhere on who is changing it back to 2. Is there a way to find out who is changing the value. If it's GPO, will it not show GPO changing the value in key or GPO will just show GPO implemented/successful something like that. If this is the case is there a solution on how to find out who changed reverted the value back to 2.
Please try to use event viewer in windows to see what happened when it is reverted. Please look at the below article, which might help you how you can use event viewer.