diff --git a/docs/pages/enroll-resources/desktop-access/active-directory.mdx b/docs/pages/enroll-resources/desktop-access/active-directory.mdx
index bc8d7b2f9f8e5..41d9862adac12 100644
--- a/docs/pages/enroll-resources/desktop-access/active-directory.mdx
+++ b/docs/pages/enroll-resources/desktop-access/active-directory.mdx
@@ -842,6 +842,8 @@ only supported when connecting to hosts that are part of an Active Directory
 domain. Teleport will not perform NLA when connecting to hosts as a local
 Windows user.
 
+NLA is not supported when Teleport runs in FIPS mode.
+
 ### Computer Name
 
 In order to complete a successful authentication flow, Teleport needs to know
diff --git a/lib/service/desktop.go b/lib/service/desktop.go
index f1de94dda6c60..33ec82cd2cbca 100644
--- a/lib/service/desktop.go
+++ b/lib/service/desktop.go
@@ -24,6 +24,7 @@ import (
 	"log/slog"
 	"net"
 	"net/http"
+	"os"
 	"strconv"
 
 	"github.com/gravitational/trace"
@@ -239,6 +240,12 @@ func (process *TeleportProcess) initWindowsDesktopServiceRegistered(logger *slog
 		DiscoveryLDAPAttributeLabels: cfg.WindowsDesktop.Discovery.LabelAttributes,
 		Hostname:                     cfg.Hostname,
 		ConnectedProxyGetter:         proxyGetter,
+
+		// For now, NLA is opt-in via an environment variable.
+		// We'll make it the default behavior in a future release.
+		// NLA code is also not FIPS-compliant so we will disable it
+		// in FIPS mode
+		NLA: !process.Config.FIPS && os.Getenv("TELEPORT_ENABLE_RDP_NLA") == "yes",
 	})
 	if err != nil {
 		return trace.Wrap(err)
diff --git a/lib/srv/desktop/windows_server.go b/lib/srv/desktop/windows_server.go
index 2ef66975604e6..fa4f47b58df66 100644
--- a/lib/srv/desktop/windows_server.go
+++ b/lib/srv/desktop/windows_server.go
@@ -27,7 +27,6 @@ import (
 	"fmt"
 	"log/slog"
 	"net"
-	"os"
 	"strconv"
 	"strings"
 	"sync"
@@ -217,6 +216,9 @@ type WindowsServiceConfig struct {
 	// ConnectedProxyGetter gets the proxies teleport is connected to.
 	ConnectedProxyGetter *reversetunnel.ConnectedProxyGetter
 	Labels               map[string]string
+	// NLA indicates whether the client should perform Network Level Authentication
+	// (NLA) when initiating the RDP session.
+	NLA bool
 }
 
 // HeartbeatConfig contains the configuration for service heartbeats.
@@ -366,10 +368,7 @@ func NewWindowsService(cfg WindowsServiceConfig) (*WindowsService, error) {
 		closeCtx:    ctx,
 		close:       close,
 		auditCache:  newSharedDirectoryAuditCache(),
-
-		// For now, NLA is opt-in via an environment variable.
-		// We'll make it the default behavior in a future release.
-		enableNLA: os.Getenv("TELEPORT_ENABLE_RDP_NLA") == "yes",
+		enableNLA:   cfg.NLA,
 	}
 
 	s.ca = windows.NewCertificateStoreClient(windows.CertificateStoreConfig{