There's a couple of different approaches you can take with Vulnerability scanners like OpenVAS and they'll produce somewhat different results.
Uncredentialed scanning, you just provide the IP addresses and the scanner assesses what it can from the network perspective. What it's doing under the covers is completing a port scan and then assessing against a database of known issues for the ports that it finds as open.
You can also provide credentials to the scanner, which allows it to sign into the system and review the configuration and software installed to find more vulnerabilities. this approach will produce a lot more findings as it'll pick up things which aren't visible from a network perspective. However this depends on the scanner knowing about the device/OS to be reviewed, some scanners have better coverage here than others.
VA scanners can also sometimes identify new vulnerabilities by doing things like fuzzing web applications, but it's worth noting that this carries some degree of risk that the applications scanned will react poorly.
If you're looking to improve your security I'd recommend credentialed scanning as part of your security programme. It finds more issues and tends to have fewer false positives.
If your goal is more compliance oriented, then probably best to start with matching the scanning that the auditor will complete and make sure you address all the issues from that.