Security Baseline reporting - does not match baseline
Settings in the security baseline will have status "does not match baseline" if they does not match the original value in the security baseline from Microsoft. This is fine if you always stick to the default original values, however if you need to change the settings (including improving the security) you will receive "does not match baseline".
The documentation does currently not state this clearly:
It would be more useful if the "does not match baseline" refer to the actual current values in the security baseline, or even better: if you could have two columns under "security baseline posture..": one for does not match original Microsoft provided values, and another for the current values. That way you could easily assess if you are not running Microsoft recommended values, and also if all your devices matches the baseline (matches baseline column is not there).