diff --git a/docs/pages/enroll-resources/desktop-access/active-directory.mdx b/docs/pages/enroll-resources/desktop-access/active-directory.mdx
index 169f32d83ca3e..ee983203a93cd 100644
--- a/docs/pages/enroll-resources/desktop-access/active-directory.mdx
+++ b/docs/pages/enroll-resources/desktop-access/active-directory.mdx
@@ -869,6 +869,8 @@ only supported when connecting to hosts that are part of an Active Directory
 domain. Teleport will not perform NLA when connecting to hosts as a local
 Windows user.
 
+NLA is not supported when Teleport runs in FIPS mode.
+
 ### Computer Name
 
 In order to complete a successful authentication flow, Teleport needs to know
diff --git a/lib/service/desktop.go b/lib/service/desktop.go
index 3c266453b7204..b8140853c6b1a 100644
--- a/lib/service/desktop.go
+++ b/lib/service/desktop.go
@@ -24,6 +24,7 @@ import (
 	"log/slog"
 	"net"
 	"net/http"
+	"os"
 	"strconv"
 
 	"github.com/gravitational/trace"
@@ -236,6 +237,12 @@ func (process *TeleportProcess) initWindowsDesktopServiceRegistered(logger *slog
 		Hostname:             cfg.Hostname,
 		ConnectedProxyGetter: proxyGetter,
 		ResourceMatchers:     cfg.WindowsDesktop.ResourceMatchers,
+
+		// For now, NLA is opt-in via an environment variable.
+		// We'll make it the default behavior in a future release.
+		// NLA code is also not FIPS-compliant so we will disable it
+		// in FIPS mode
+		NLA: !process.Config.FIPS && os.Getenv("TELEPORT_ENABLE_RDP_NLA") == "yes",
 	})
 	if err != nil {
 		return trace.Wrap(err)
diff --git a/lib/srv/desktop/windows_server.go b/lib/srv/desktop/windows_server.go
index cf179b4b6d1a0..ea87227840585 100644
--- a/lib/srv/desktop/windows_server.go
+++ b/lib/srv/desktop/windows_server.go
@@ -27,7 +27,6 @@ import (
 	"fmt"
 	"log/slog"
 	"net"
-	"os"
 	"strconv"
 	"strings"
 	"time"
@@ -187,6 +186,9 @@ type WindowsServiceConfig struct {
 	Labels               map[string]string
 	// ResourceMatchers match dynamic Windows desktop resources.
 	ResourceMatchers []services.ResourceMatcher
+	// NLA indicates whether the client should perform Network Level Authentication
+	// (NLA) when initiating the RDP session.
+	NLA bool
 }
 
 // HeartbeatConfig contains the configuration for service heartbeats.
@@ -354,10 +356,7 @@ func NewWindowsService(cfg WindowsServiceConfig) (*WindowsService, error) {
 		closeCtx:    ctx,
 		close:       close,
 		auditCache:  newSharedDirectoryAuditCache(),
-
-		// For now, NLA is opt-in via an environment variable.
-		// We'll make it the default behavior in a future release.
-		enableNLA: os.Getenv("TELEPORT_ENABLE_RDP_NLA") == "yes",
+		enableNLA:   cfg.NLA,
 	}
 
 	s.ca = winpki.NewCertificateStoreClient(winpki.CertificateStoreConfig{