We are working through our Secure Score and I have some questions about a few items in the Resolve unsecure account attributes action. We have the default Internet Guest Account and Launch IIS Process Account disabled in our primary domain. And we have the default Internet Guest Account and Launch IIS Process Account disabled in a secondary domain in our forest.

Secure Score does not show any recommended actions for the Internet Guest Account and Launch IIS Process Account in our primary domain. But it shows we need to remove the password not required flag in our secondary domain. Comparing all four accounts in onprem AD, they all have the same settings.

Is there any reason why those accounts in our secondary domain show up in Secure Score as having action items when the ones in our primary domain don't? Since they all have the same settings, they should all have the same action or lack or action.