My team are working on cyber essentials plus (site wide). It seems like a tick in the box exercise to me. We have been told that in order to pass, we must reduce the security on our RDS servers. Microsoft found a bug in RDP (credssp) about two years ago and patched it. Since then, the way the technology works means users must be authenticated at a certain stage prior to logging on. Due to this, if a users account has the "password change at next logon" flag set, they are unable to logon to RDS in order to change their password. Catch 22. It's well documented. The workaround is to reduce the security on RDS to make it work, negating the security fix Microsoft put on. Either that, or users must change it on a PC. Not ideal in this environment. am I missing something really obvious here? They also said every piece of software on all client machines (we have 4,000+) must be at the latest versions. Fortunately we use AppV so this isn't an issue for us, but I'd imagine it would be for most people. There are some other gems which have come out of this as well.