Windows Server

Disable Remote Desktop Network Level Authentication using PowerShell

In today’s Ask the Admin, I’ll show you how to disable Remote Desktop Network Level Authentication with the help of Windows Management Instrumentation (WMI) and PowerShell.

Network Level Authentication (NLA) was introduced to improve security in Remote Desktop Protocol (RDP) 6.0 by requiring that users be authenticated to the host server before an RDP session is created, helping to reduce the risk of denial-of-service attacks. Initially NLA was only available for Windows Vista and Windows Server 2008, but later client support for Windows XP SP3 was added.

Although NLA is a welcome security enhancement that helps to make Remote Desktop safer, you might want to disable it in a dev environment for a couple of reasons:

  1. It’s not possible to log in to a domain member server using Remote Desktop unless a domain controller (DC) is available for authentication.
  2. Domain controllers must be booted before member servers are started, otherwise Remote Desktop access to member servers might be denied.

In production, the issues I’ve listed above should never be a reason to disable NLA. But in a dev environment, especially one where VMs are shut down regularly to reduce costs, it can be handy to disable NLA so that you don’t have to worry about the order in which VMs are booted, and work with member servers without necessarily needing to boot a DC. Remember that disabling NLA is not best practice, so you should always evaluate the risk in your own environment.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

Disable Network Level Authentication

It’s easy to disable NLA using the GUI, but the reason to do it programmatically is to understand how to automate the task when deploying VMs in the cloud using PowerShell. The Remote Desktop NLA setting can be accessed under Advanced system settings in the System control panel.

Disabling Remote Desktop NLA using the GUI (Image Credit: Russell Smith)
Disabling Remote Desktop NLA using the GUI (Image Credit: Russell Smith)

In the example below, I use a variable, $ComputerName, to store the name of the server on which I want to disable NLA. The Get-WmiObject cmdlet is then used to return information about the current Remote Desktop settings, and all I need to do is specify the WMI class and namespace, which in the case of Remote Desktop is Win32_TSGeneralSetting and root\cimv2\terminalservices respectively.

You’ll notice that I’ve also added a filter to the command line so that only results for the RDP-tcp terminal are returned. By default in Windows Server, there is only one terminal configured, but in cases where there might be more than one, the filter comes in handy to return only the desired information. Make sure that you’re logged in to the server as a local administrator before running the commands below.

If your server configuration hasn't been changed from the default settings, you'll notice in the results that UserAuthenticationRequired is set to 1, or true; meaning that NLA is enabled.

To narrow down the results and return just the UserAuthenticationRequired setting, use the command below:
Disable Remote Desktop Network Level Authentication using PowerShell
Use PowerShell to determine Remote Desktop configuration (Image Credit: Russell Smith)
Finally to disable NLA, swap out UserAuthenticationRequired for SetUserAuthenticationRequired(0) as shown here:

Enable Network Level Authentication

To enable NLA, just replace the 0 after SetUserAuthenticationRequired with 1:

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (1)

One response to “Disable Remote Desktop Network Level Authentication using PowerShell”

  1. <p>When I try in my Windows 10 <span style="background-color: rgb(253, 253, 253);">SetUserAuthenticationRequired methond did not work.</span></p><p><br></p><p><span style="background-color: rgb(253, 253, 253);">I used below registry commands to disable NLA</span></p><p><br></p><p><span class="ql-cursor"></span>Get-ItemProperty <span style="color: rgb(163, 21, 21);">'HKLM:SYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp'</span> -Name UserAuthentication</p>

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
13 Email Threat Types to Know About Right Now

As email threats evolve and multiply, keeping track of them all—and staying protected against the many different types—becomes a complex challenge. Today, that requires more than just the traditional email gateway solution that used to be good enough.

In this eBook you will learn:

  • What are the most common and challenging email attacks for organizations?
  • How to defend against sophisticated email threats, such as spoofing, social engineering, and fraud
  • How to protect employees at the inbox level with the right technologies and security-awareness training
  • How to use a multilayered protection strategy to reduce susceptibility to email attacks and better defend your business and employees

Sponsored by: