As far as I can tell, a policy or benchmark that is supported by Qualys doesn't exist for a Windows Server 2016 Core OS. By design it is more secure. Many of the controls for the Windows Server 2016 CIS or STIG benchmark do apply, but managing all of the exceptions could be a pain. I could create separate policy based off of those benchmarks and inactivate the controls that do not apply. Any thoughts would be appreciated.