Are you “profi” pretending that you don’t understand the point?
Once again - installing the CIS on some machine can’t prevent the machine from loading unauthorized/usigned or malware drivers from loading even if these drivers are childish toys with “start on demand” then when this “demand” happens then guess what happen with CIS…
Once again your/CIS’ hooks and drivers in R0 are useless if only registry’s \Services\ protected somehow and only post factum after/since installation.
XP and some allow loading unsigned drivers and this another headache CIS D+ can’t solve in this case of weakly protected registry tree.
Why some assumptions on clean and signed drivers in \Services\ on default? At least signing should be checked on pre x64.