Help with requiring Network Level Authentication for RDP

Hello Experts,

We are working on remediating some security vulnerabilities.  One of the low hanging fruit that I thought I would remediate is the requirement to allow RDP connections from computers running Remote Desktop with Network Level Authentication.  Below is a screenshot from one of our workstations showing the current setting:

Current settings on workstations
As you can see, we currently allow connections from any version of Remote Desktop.

The setting to require Network Level Authentication had been configured in our default domain policy.  It was set to “disabled”.  I have changed the setting to “enabled” and applied the change.  

NLA required set to enabled
I have saved the GPO and let domain replication take place.  When I do a gpupate /force /sync and restart the RDP settings are the same as they were in the first screenshot.  What am I missing here?

Thanks in advanced.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sometimes it takes a little time for the GPO update to hit all of the PCs. Other times, you might need to restart the workstations (or at least log out of them).
Cliff GaliherCommented:
I'll need to test lab, but I think that is one setting that I don't think gets reflected in that particular GUI. But the service picks up the registry change and enforces it nonetheless.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cliff GaliherCommented:
As a complete aside, I recommend never editing the default domain policy. It is best to create new policies and link them at the domain level instead.
PberSolutions ArchitectCommented:
As per the above recommendation, perhaps place this setting it its own policy would be a good start.  Then ensure that the policy is deployed to containers with computers with the appropriate security.

Perform a gpresult /r and analyse the results to ensure the policy applied.
Alternately you could so a rsop.msc on the target machine and navigate to the specific NLA setting to ensure it is being set.
ndalmolin_13Author Commented:
Good point about not using the default domain policy.  I will have to start backing settings out and setting up their own GPOs.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.