diff --git a/lib/service/desktop.go b/lib/service/desktop.go
index 0fdc86faaa6a4..9b886ea0e49c8 100644
--- a/lib/service/desktop.go
+++ b/lib/service/desktop.go
@@ -24,6 +24,7 @@ import (
 	"log/slog"
 	"net"
 	"net/http"
+	"os"
 	"strconv"
 
 	"github.com/gravitational/trace"
@@ -236,6 +237,12 @@ func (process *TeleportProcess) initWindowsDesktopServiceRegistered(logger *slog
 		Hostname:             cfg.Hostname,
 		ConnectedProxyGetter: proxyGetter,
 		ResourceMatchers:     cfg.WindowsDesktop.ResourceMatchers,
+
+		// For now, NLA is opt-in via an environment variable.
+		// We'll make it the default behavior in a future release.
+		// NLA code is also not FIPS-compliant so we will disable it
+		// in FIPS mode
+		NLA: !process.Config.FIPS && os.Getenv("TELEPORT_ENABLE_RDP_NLA") == "yes",
 	})
 	if err != nil {
 		return trace.Wrap(err)
diff --git a/lib/srv/desktop/windows_server.go b/lib/srv/desktop/windows_server.go
index b729f32677f2c..18bc52af9d5b7 100644
--- a/lib/srv/desktop/windows_server.go
+++ b/lib/srv/desktop/windows_server.go
@@ -28,7 +28,6 @@ import (
 	"log/slog"
 	"maps"
 	"net"
-	"os"
 	"strconv"
 	"strings"
 	"time"
@@ -187,6 +186,9 @@ type WindowsServiceConfig struct {
 	Labels               map[string]string
 	// ResourceMatchers match dynamic Windows desktop resources.
 	ResourceMatchers []services.ResourceMatcher
+	// NLA indicates whether the client should perform Network Level Authentication
+	// (NLA) when initiating the RDP session.
+	NLA bool
 }
 
 // HeartbeatConfig contains the configuration for service heartbeats.
@@ -356,10 +358,7 @@ func NewWindowsService(cfg WindowsServiceConfig) (*WindowsService, error) {
 		closeCtx:    ctx,
 		close:       close,
 		auditCache:  newSharedDirectoryAuditCache(),
-
-		// For now, NLA is opt-in via an environment variable.
-		// We'll make it the default behavior in a future release.
-		enableNLA: os.Getenv("TELEPORT_ENABLE_RDP_NLA") == "yes",
+		enableNLA:   cfg.NLA,
 	}
 
 	s.ca = winpki.NewCertificateStoreClient(winpki.CertificateStoreConfig{