CIS Scanning could be implemented better

My pain point is that if I scan a host with the wrong CIS policy the host will get “stuck” to that policy and show failures where there really aren’t any. An example would be scanning a printer with a Windows 10 policy.

I got into this situation by having a single scanning template with multiple CIS policies on it. I scanned an entire site & found that my results were a jumble.

I’ve spoken about this to support, who is always very helpful, but I don’t like the answers from a product standpoint. Assuming that the answers I got from support were correct, here are a couple of scenarios that could be improved.

  1. If I use a CIS policy targeted to Windows 10 I would not expect it to scan a printer or other non-Windows 10 host. According to support this is not the case & I have to make sure that I only scan Windows 10 hosts with Windows 10 policies. The gymnastics required to break everything up by host & site is onerous to say the least. Being able to launch a singled scanning template with CIS policies for multiple OS types without the host types intermingling in the results would be much better.

2… Now that I have fifty printers or so “stuck” to my Windows 10 policy, the ability to purge those results would be useful. Then I could at least get rid of invalid results. As it stands, support has told me that I have to make a copy of my original policy, put the copied policy into my scanning template, and then delete the original template. I’m not a huge fan of this solution as it’s not very streamlined.

Any ideas or comments on these scenarios would be appreciate.

For this specific reason I wrote the following blog that shows a Policy workflow that will prevent these challenges. It does however involve copying the policy templates: