Azure VMs and disabling NLA on domain level.

Wtorkiewicz, Pawel 26 Reputation points
2021-02-11T08:42:21.303+00:00

Hello Team,

I'd like to ask if NLA is required for VMs in Azure? We want to disable it by using Group Policy Objects (GPOs).

Thanks!

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,157 questions

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sumarigo-MSFT 43,801 Reputation points Microsoft Employee
    2021-02-11T09:01:54.993+00:00

    @Wtorkiewicz, Pawel Welcome to Microsoft Q&A, Thank you for posting your query!

    The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialog box.

    There is an easy method to disable NLA via the Azure portal. You can navigate the Operation---Run command---select the DisableNLA script, then click Run button after finishing the run command script, restart your Azure VM for the change to take effect. See here

    Alternatively, you also could invoke run command with PowerShell or Azure CLI.

    https://learn.microsoft.com/en-us/azure/virtual-machines/windows/run-command

    • You can use Serial Console Feature. Open an administrative CMD instance and regain access to the VM by disabling NLA:

    REM Disable the Network Level Authentication
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v fAllowSecProtocolNegotiation /t REG_DWORD /d 0 /f

    Adding more information: Network Level Authentication (NLA) was conceived to improve the security in Remote Desktop Protocol by requiring that users be authenticated to another party (a host server or Domain Controller) before a RDP session is created, helping to reduce the risk of denial-of-service attacks and enhancing the OS security.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    ------------------------------------------------------------------------------------------------------------

    Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    3 people found this answer helpful.
  2. Wtorkiewicz, Pawel 26 Reputation points
    2021-02-15T10:35:39.317+00:00

    Hello,

    Still following up. Can you confirm if above settings can be disabled and should not have any impact for Azure VMs?

    0 comments
  3. Sumarigo-MSFT 43,801 Reputation points Microsoft Employee
    2021-02-15T10:56:02.533+00:00

    @Wtorkiewicz, Pawel Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.
    Technically it would be possible but I don't think that would be recommend keeping security in aspects

    • Disabling via GPO is possible

    Appreciate your time and patience!

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    --------------------------------------------------------------------------------------------------------------------------------------

    Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  4. Wtorkiewicz, Pawel 26 Reputation points
    2021-02-16T22:24:27.71+00:00

    Hello @Sumarigo-MSFT thanks for the answer.

    Can you explain it a bit more as it's not clear enough for me yet. I know it's technically possible but we wonder if this will not break the Azure VMs - I'm talking about core VMs requirements not some specific application which might running on it.

    So we just need to know if below settings are not some kind of prerequisites to allow Azure VMs running/reporting/etc.

    We plan to disable the NLA and NCSI active/passive probes as described in the reference article:
    https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/internet-explorer-edge-open-connect-corporate-public-network

  5. Wtorkiewicz, Pawel 26 Reputation points
    2021-03-02T10:12:35.873+00:00

    @Sumarigo-MSFT may I ask for the confirmation if above assumption is correct and we can safely disable the settings described in the reference article?

    0 comments