Set 'Remote Desktop security level' to 'TLS' Not Detecting Correctly

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer

To the following REG_DWORD value: 2

Option 2 - Set the following Group Policy:
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require use of specific security layer for remote (RDP) connections

To the following value: SSL (TLS 1.0)

--------------

 

I believe my machines should be passing this test, but due to out-of-order validation steps they are still marked as unresolved.  I've checked my group policy settings and the corresponding registry key at (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\SecurityLayer) and it's set to '2'.  As far as I understand it, this should take precedence over the value that I have in HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer which is '1'.  I don't bother setting that key/value since I believe the group policy takes precedence.  Unfortunately, WDATP is checking Option 1 first and short-circuiting if it's not set to '2'.  In my opinion, it should be checking Option 2 first and short-circuiting a pass if the value is set to '2'.

 

Phil