Some assets have deviations from the CIS benchmarks (f.ex. multiple groups in a control, where the CIS benchmark checks for a specific string) which the CIS benchmark will mark as non-compliant. This is the case in where f.ex. a tiered AD structure has been configured.

Or when the Windows Server 2025 is applied to a 2012 server which has not all supported recommendations.