How to change Network Level Authentication on a Windows Server via Command Line

For a Systems Administrator, this generally is a fairly simple process. Open My Computer, right-click on properties and go to Remote Settings and under Remote Desktop, uncheck the box that says “Allow connections only from computers running Remote Desktop with Network Level Authentication (Recommended)”

Well, let’s assume the scenario where you cannot log in via AD authentication and for some reason, you’re unable to find the Administrator’s password or it isn’t working. This is where the winrs command comes in handy. You can simply alter the settings from another VM that is joined to the same domain.

Run cmd as Administrator and run the following to Query current NLA (Network Level Authentication) settings:

winrs -r:VMname.domain.com reg query “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP” /v UserAuthentication

Run the following command to disable NLA.

winrs -r:VMname.domain.com reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP” /v UserAuthentication /t REG_DWORD /d “0” /f

Verify by running the query command again:

winrs -r:VMname.domain.com reg query “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP” /v UserAuthentication

If for some reason, you want to login from the local Administrator account, you can run the following command to change it.

That’s it, you can now login via your AD account or local Administrator via RDP. Cheers!

Note: This guide is meant for those who are working as a System Administrator and not meant for a developer with limited knowledge of Operating Systems. If you find this guide, please do not implement it on your own, without the guidance of your company’s IT Manager or System Administrator.