My team are working on cyber essentials plus (site wide). It seems like a tick in the box exercise to me.

We have been told that in order to pass, we must reduce the security on our RDS servers. Microsoft found a bug in RDP (credssp) about two years ago and patched it. Since then, the way the technology works means users must be authenticated at a certain stage prior to logging on. Due to this, if a users account has the "password change at next logon" flag set, they are unable to logon to RDS in order to change their password. Catch 22. It's well documented.

The workaround is to reduce the security on RDS to make it work, negating the security fix Microsoft put on. Either that, or users must change it on a PC. Not ideal in this environment.

am I missing something really obvious here?

They also said every piece of software on all client machines (we have 4,000+) must be at the latest versions. Fortunately we use AppV so this isn't an issue for us, but I'd imagine it would be for most people.

There are some other gems which have come out of this as well.

Yes, it has become common for us to have our phones tethered to our computers. And how much personal data do we store in the cloud on various Web sites? One day we realize with horror that our personal information is already in the public domain. We're too lazy to bother and order an it-security check. After all, so many people are working to thwart the efforts of hackers.. We don't realize that through our account, attackers can try to get into our corporate email, to do damage to our company.