It seems the IIS accounts are interfering with reporting on the (L1) Ensure ‘Generate security audits’ is set to ‘LOCAL SERVICE, NETWORK SERVICE’ FIxlets any thought on how to resolve without breaking it on machines without IIS?
I’m not sure that there’s anything to fix? It sounds like your machine is out of compliance with the checklist requirement, and you should either accept the deviation, or ask the CIS org to change their checklist content?
And, to be clear, there are many scenarios where applying the exact checklist requirement does break some application or functionality, which is why managing exceptions is crucial.