Disable NLA via Custom Script Extension

Symptoms: When attempting to RDP to your virtual machine you receive an error regarding Network Level Authentication (NLA):


Note: The below steps are using Custom Script Extension in the Azure Portal. If that is not an option as the Guest Agent is not responding you can also run the same commands via Remote PowerShell, PSExec or make the changes via Remote Registry.

1) Open up a Blank Notepad and paste the following into it:

Set-ItemProperty -Path ‘HKLM:SYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp’ -name “SecurityLayer” -value 0

Set-ItemProperty -Path ‘HKLM:SYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp’ -name “UserAuthentication” -value 0

Set-ItemProperty -Path ‘HKLM:SYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp’ -name “fAllowSecProtocolNegotiation” -value 0

Set-ItemProperty -Path ‘HKLM:SystemCurrentControlSetControlTerminal Server’ -name “fDenyTSConnections” -Value 0

2) Save the file as disableNLA.ps1

3) Navigate to the Azure Portal

4) Select the impacted VM

5) Select extensions

6) Select Add

7) Select Custom Script Extension

8) Select Create

9) Select the disableNLA.ps1 created in the previous steps

10) Install the .ps1 file. No arguments are needed.

11) Go back to the extensions tab and wait for the Custom Script to report as successful

12) Attempt to RDP to the machine. If it fails, restart the VM and attempt to RDP to it again.

Author: micahmckittrick

28 years old. Azure Engineer @Microsoft

3 thoughts on “Disable NLA via Custom Script Extension”

  1. Thank you soo much! Worked like a charm. I have a Fedora desktop environment and now I’m able to access my azure machine via rdesktop.


Comments are closed.