diff --git a/docs/pages/enroll-resources/desktop-access/active-directory.mdx b/docs/pages/enroll-resources/desktop-access/active-directory.mdx
index fb2ef7774f592..4351a288a8a8c 100644
--- a/docs/pages/enroll-resources/desktop-access/active-directory.mdx
+++ b/docs/pages/enroll-resources/desktop-access/active-directory.mdx
@@ -822,6 +822,8 @@ only supported when connecting to hosts that are part of an Active Directory
 domain. Teleport will not perform NLA when connecting to hosts as a local
 Windows user.
 
+NLA is not supported when Teleport runs in FIPS mode.
+
 ### Computer Name
 
 In order to complete a successful authentication flow, Teleport needs to know
diff --git a/lib/service/desktop.go b/lib/service/desktop.go
index 2b79491f2bbd1..f7155917a89ba 100644
--- a/lib/service/desktop.go
+++ b/lib/service/desktop.go
@@ -24,6 +24,7 @@ import (
 	"log/slog"
 	"net"
 	"net/http"
+	"os"
 	"strconv"
 
 	"github.com/gravitational/trace"
@@ -238,6 +239,12 @@ func (process *TeleportProcess) initWindowsDesktopServiceRegistered(logger *slog
 		Hostname:                     cfg.Hostname,
 		ConnectedProxyGetter:         proxyGetter,
 		ResourceMatchers:             cfg.WindowsDesktop.ResourceMatchers,
+
+		// For now, NLA is opt-in via an environment variable.
+		// We'll make it the default behavior in a future release.
+		// NLA code is also not FIPS-compliant so we will disable it
+		// in FIPS mode
+		NLA: !process.Config.FIPS && os.Getenv("TELEPORT_ENABLE_RDP_NLA") == "yes",
 	})
 	if err != nil {
 		return trace.Wrap(err)
diff --git a/lib/srv/desktop/windows_server.go b/lib/srv/desktop/windows_server.go
index 0efef2bd2c04d..c2f8cc1775445 100644
--- a/lib/srv/desktop/windows_server.go
+++ b/lib/srv/desktop/windows_server.go
@@ -27,7 +27,6 @@ import (
 	"fmt"
 	"log/slog"
 	"net"
-	"os"
 	"strconv"
 	"strings"
 	"sync"
@@ -220,6 +219,9 @@ type WindowsServiceConfig struct {
 	Labels               map[string]string
 	// ResourceMatchers match dynamic Windows desktop resources.
 	ResourceMatchers []services.ResourceMatcher
+	// NLA indicates whether the client should perform Network Level Authentication
+	// (NLA) when initiating the RDP session.
+	NLA bool
 }
 
 // HeartbeatConfig contains the configuration for service heartbeats.
@@ -369,10 +371,7 @@ func NewWindowsService(cfg WindowsServiceConfig) (*WindowsService, error) {
 		closeCtx:    ctx,
 		close:       close,
 		auditCache:  newSharedDirectoryAuditCache(),
-
-		// For now, NLA is opt-in via an environment variable.
-		// We'll make it the default behavior in a future release.
-		enableNLA: os.Getenv("TELEPORT_ENABLE_RDP_NLA") == "yes",
+		enableNLA:   cfg.NLA,
 	}
 
 	s.ca = windows.NewCertificateStoreClient(windows.CertificateStoreConfig{