Windows CIS scan for users no showing correct results


Running CIS policies scans against a windows server 2016 is always showing failure because registry entries aren’t set on service accounts (GPO only apply to interactive logon).
Fine I wrote a ps script to add missing registry entries to the registry hive of the service account but R7 console is still showing failure result because keys are missing… I know it’s false because when I log on the server I can clearly see registry entries for all reported users.

I also noted that my user which has settings applied by GPO is also showing the failure even if it’s correctly set (screensaver settings are visible…)

Any idea what’s wrong here ?



HI Vincent,

You may want to ensure that you have PowerShell working for your scans. CIS policy cheks frequently require WinRM to function properly, and enabling PowerShell to be used as a part of your scans should ensure that this works. You can find the docs on that here:-

Kind Regards,


Hey Tom,

Thanks for your answer but it’s not helping. CIS is using these ports by default and I confirmed from the scanning machine, I can telnet the remote one with the port 5985.

What is strange all others “computer” settings are well detected. Only the user is causing issue.



Hi Vincent,

Sorry for the delay here. I’d recommend opening a support case if you have not already done so. If you can validate the registry keys are present on the target machine, but the check is failing, we are into the realms of a potential issue with the checks themselves. Although I would certainly start with ensuring that authentication is working properly in the first instance, as this is often the root cause of policy checks failing. You need to see Credential Success with Admin on 139, 445 and 5985/5986 to be certain. You may find the CSE workshop on policy scanning useful:-