After setting the Encryption Oracle Remediation policy setting "Force Updated Clients" according to Microsoft's website (CredSSP updates for CVE-2018-0886) on several Windows systems, users are not able to log in to any of these systems through PAM. The users receive errors like the following:

2019-05-22 09:38:54 ERROR - An error occurred in NTLM handshake: com.ca.xsuite.app.rdp3.core.common.libs.org.apache.harmony.security.asn1.ASN1Exception: security.132 com.ca.xsuite.app.rdp3.client.handler.cssp.ClientNTLM [PAM Access Agent-3]

This is due to the having set "Force Updated Clients" for the Encryption Oracle Remediation policy. With this setting, the built-in RDP applet will not work.

Set Encryption Oracle Remediation policy setting to "Mitigated" for those systems where CredSSP has been deployed and a connection is required from PAM

Please note: 

The "Force Updated Clients" registry value can be used. The built-in RDP applet will not work, but the new RDP Proxy functionality could be used to utilize any local RDP Client on the user's desktop.

Please see the following documentation page: Create an RDP Proxy Service to Access a Device.