Why do I still get a low score using the site scanner even though I clicked on the Best Practices button?

There are a few reasons. First, make sure that you have clicked the Apply button and rebooted your server. Second, as of February 2020, the site scanner now caps scores with a B rating if TLS 1.0 or 1.1 are enabled. If you do not have any clients that use TLS 1.0 or 1.1 we recommend using the built in PCI 4.0 template which disables TLS 1.0 and 1.1.

The other common reason we have seen is that there is a proxy or load balancer in front of your server intercepting TLS traffic. Usually those systems are hardware based running some form of OpenSSL. Unfortunately IIS Crypto has no way to configure them. If you or your network administrator cannot, or do not want to, bypass those systems, there is not much else you can do other than making sure they are setup securely.