We help IT Professionals succeed at work.

Help with requiring Network Level Authentication for RDP

Hello Experts,

We are working on remediating some security vulnerabilities.  One of the low hanging fruit that I thought I would remediate is the requirement to allow RDP connections from computers running Remote Desktop with Network Level Authentication.  Below is a screenshot from one of our workstations showing the current setting:

Current settings on workstations
As you can see, we currently allow connections from any version of Remote Desktop.

The setting to require Network Level Authentication had been configured in our default domain policy.  It was set to “disabled”.  I have changed the setting to “enabled” and applied the change.  

NLA required set to enabled
I have saved the GPO and let domain replication take place.  When I do a gpupate /force /sync and restart the RDP settings are the same as they were in the first screenshot.  What am I missing here?

Thanks in advanced.
Watch Question

Distinguished Expert 2018

Sometimes it takes a little time for the GPO update to hit all of the PCs. Other times, you might need to restart the workstations (or at least log out of them).
Distinguished Expert 2018
I'll need to test lab, but I think that is one setting that I don't think gets reflected in that particular GUI. But the service picks up the registry change and enforces it nonetheless.
Distinguished Expert 2018

As a complete aside, I recommend never editing the default domain policy. It is best to create new policies and link them at the domain level instead.
PberSolutions Architect

As per the above recommendation, perhaps place this setting it its own policy would be a good start.  Then ensure that the policy is deployed to containers with computers with the appropriate security.

Perform a gpresult /r and analyse the results to ensure the policy applied.
Alternately you could so a rsop.msc on the target machine and navigate to the specific NLA setting to ensure it is being set.


Good point about not using the default domain policy.  I will have to start backing settings out and setting up their own GPOs.