Why do I still get a low score using the site scanner even though I clicked on the Best Practices button?

One common reason we have seen is that there is a proxy or load balancer in front of your server intercepting TLS traffic. Usually those systems are hardware based running some form of OpenSSL. Unfortunately IIS Crypto has no way to configure them. If you or your network administrator cannot, or do not want to, bypass those systems, there is not much else you can do other than making sure they are setup securely.