When running a standard that checks the settings of the configuration of your server, the results of the CCS scan do not match the Local Computer Policy or GPO that has been configured.

CCS 12.6.x

CCS 12.7

The actual configuration on a server can be set by a GPO or the Local Computer policy, and it can be difficult to determine where the value to the configuration is being set.  Below are some useful command that might aid you to determine what GPO is setting that configuration for that value.

In PowerShell or in a command prompt window (running As Administrator), run the following command:

AuditPol /get /category:*

This will return a list of the configuration values and how they are set on that server.

In this example, we will be checking the configuration value for the IPsec Driver.  In the results of the AuditPol command above, scroll down until you see what value is being returned.

 

If the value being shown is the same value that CCS is reporting, then CCS is reporting correctly.

Since it can be difficult to determine which GPO is assigning that value on that server, you can run the following command to determine the 'Winning GPO' which is assigning the value.

In PowerShell or in a command prompt window (running As Administrator), run the following command:

gpresult /h %userprofile%\desktop\gpo_result.html

This command will create a file on the Desktop for the current user named gpo_result.html.  Open the file in the internet browser.
Note: When you run the gpo_result.html, sometimes it gets stuck loading.  Just X out and then refresh again and it loads correctly.

Navigate to the parameter and see what GPO is listed under 'Winning GPO' column.  This is the GPO (or Local Group Policy) that Windows is using to assign that value to that configuration setting.

Example: