How do I get an A+ from the Site Scanner?

The Site Scanner requires the following combination of settings in order to get an A+:

If you are running Windows Server 2016, 2019 or 2022, using the PCI 4.0 or Strict templates and adding HSTS to your website will result in an A+. 

Windows Server 2022 adds support for TLS 1.3. However, if both TLS 1.2 and 1.3 are enabled the Site Scanner will only result in an A grade. This is because Windows Server currently does not support downgrade attack prevention. If the client requests TLS 1.3, Windows will still allow TLS 1.2 downgrades and that is why the Site Scanner reports a grade of A instead of A+.

If you are running Windows Server 2012 R2 or lower this update (KB3174644) must be applied. Then select the PCI 4.0 or Strict template and check TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 in the Cipher Suites tab. Finally add HSTS to your website.