Compliance Check - Relevance Help

Need some help deciphering the below relevance for one of our DISA checks. If the value “ScreenSaverIsSecure” = 1 should the relevance below return a true or false? Currently I have a few machines that are showing with the value as “1” which would make me believe the relevance below would report “false” and the check would no longer be applicable. Am I correct or am I misunderstanding something?

not exists 1 whose (number of ((values “ScreenSaverIsSecure” of it) of (keys “Software\Policies\Microsoft\Windows\Control Panel\Desktop” of it) of it whose (exists matches (regex “^S-1-5-21-[0-9]±[0-9]±[0-9]±[0-9]{3,}$”) of name of it) of keys of keys “HKEY_USERS” of native registry) whose ((type of it = “REG_SZ”) of it and ((if (type of it = “REG_BINARY” or type of it = “REG_NONE”) then (hexadecimal integer (it as string)) else (it as integer)) of it = (it as integer) of (“1”))) = number of it whose (exists matches (regex “^S-1-5-21-[0-9]±[0-9]±[0-9]±[0-9]{3,}$”) of name of it) of keys of keys “HKEY_USERS” of native registry)

My understanding of Compliance Check Relevance is that it is “reversed” from Fixlet Relevance.

It should be checking for the Condition AS IT SHOULD BE, so that if it’s TRUE it’s OK, but if it’s FALSE, there is a problem.

“Not exists” would mean that if the value “1” didn’t exist to report True…Correct? This would mean that the check should be applicable so the it can be enforced and remediated. In my instance the value is set to “1”, but the check is still showing applicable or needs to be enforced. If I run the above relevance through the debugger it also reports True.

Just an interpretation here, but…
I think the

not exists 1 whose ()

Should be functionally equivalent to

not exists true whose()

In the sense that exists (something) whose () is there to trap relevance evaluation errors inside the whose() block by basically converting an error into a ‘false’ result.

In Compliance checks, a True indicates ‘not compliant’, except for the Applicability fixlet in each site.

I think what this particular check is doing, is ensuring that the number of mounted user registry hives with the ScreenSaverIsSecure value of “1” matches the total number of mounted user registry hives (hence, none are missing this value). The regex used there matches the format of a user SID, as it woukd appear in the key name beneath HKEY_USERS.