We were given some vulnerability reports on our package servers. One of the finding has to do with IIS response headers. This is what was configured when the scan was executed:

Testing revealed with Windows Server 2019 that ASP.NET is added by default when IIS is installed.

Go to IIS Management, click on the Server Name, and then select the HTTP Response Headers. 

Select the ASP.NET line, and click Remove:

This resolved the vulnerability.