After remediating a configuration profile with "allow_tcp_forwarding" set to "NO", a compliance check will show the ESXi host is not compliant with the configuration profile.

vCenter 8.x

Workaround:

Remove the below configuration from the reference json file, since "no" is already the default value of "allow_tcp_forwarding" keyword for SSHd on ESXi.
Configuration to be removed from the reference json file.

   "ssh_server": {
      "allow_tcp_forwarding": "NO"
   },

When extracting the configuration from a reference host, reset the keyword's value on the reference host using the command "esxcli system ssh server config set -k allowtcpforwarding -r" before extracting its configuration.