We currently enforce NLA on our domain controllers but it's proving something of a mixed blessing.
Our admins use Tier 0 admin accounts for work on these servers that require it, but for some that isn't very frequent so from time to time they get locked out when the account password expires as CredSSP doesn't support password change on login.So far as we're aware NLA offers two main advantages:
1. decoupling authentication from the RDP service so that where we haven't patched against CVE-2019-0708 we aren't vulnerable to a BlueKeep-style attack
2. not launching a full RDP session until after authentication so unauthenticated RDP sessions can't be used as a medium for DoS attacks through resource exhaustion
Well - we're patched and as we don't expose RDP we're talking about a bad actor who'se already on our network and therefore may well have other fish to fry.
Sadly, we're unlikely to be introducing stronger authentication methods such as biometrics or keys any time in the very near future, so for on-prem access we still rely on the strength of the username/password pair. Unsure of the future of NLA in the modern world, too. Lengthening password lifetimes will just kick the can down the road and make it less likely that the thwarted admin will remember what s/he did last time
So - we're considering ditching NLA. I'd be interested to learn whether anyone thinks it's a lousy idea (and why)