HTTP Strict Transport Security (HSTS) 'NOT ENFORCED' on CMG provisioned Virtual Machine.
The VM that is automatically provisioned as part of the Cloud Management Gateway setup from the ConfigMgr console, when security scanned, indicates HSTS is not turned on/ enforced.
This has been discussed with Microsoft Support and Configuration Manager experts from Microsoft, as this is obviously a concern. All attempts to mitigate this issue failed as any settings made as advised by Microsoft were reverted or failed to mitigate the issue.
We have assurances the service is secure however, we are aware that HSTS being off is recognised as a vulnerability to Microsoft and you recommend all to enforce this on all affected Microsoft Servers/services.
Could you please address this issue, as indicated above, by your own documentation and advice, this setting should be enforced.