What can prevent IIS 10.0 from applying applicationHost.config locks on location of system.webserver/security/access settings?

I have three instances of an application: local, Staging (remote) and Production (remote). All three of them are running IIS 10. Local is Windows 10, the two remote servers are Windows Server 2016.

All three have applicationHost.config configured like this:

<configuration>
    <configSections>
        <sectionGroup name="system.webServer">
            <sectionGroup name="security">
                <section name="access" overrideModeDefault="Deny" />
            </sectionGroup>
        </sectionGroup>
    </configSections>
    <location path="mbrs">
        <system.webServer>
            <security>
                <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert, Ssl128" />
            </security>
        </system.webServer>
    </location>
</configuration>

Local and Staging respect this configuration, and the IIS Configuration Editor will correctly identify the storage location of SSL flags as being locked by and in applicationHost.config. Changing overrideModeDefault to "Allow", or adding overrideMode="Allow" to the location tag will remove the lock. Changing overrideModeDefault to "Allow", and adding overrideMode="Deny" to the location tag will enforce the lock.

Production, does not respect the lock under any circumstance and will always allow the SSL flags to be saved to web.config.

Extensive reading of the Microsoft documentation leads me to believe that there are no other configuration files or values which could be affecting this situation, but since it is our production server which is apparently breaking the locking rules I am rather hoping that I am wrong!

What am I missing?