The Site Scanner requires the following combination of settings in order to get an A+:
- Only TLS 1.2 can be used
- At least one cipher suite must support Authenticated Encryption (AEAD)
- HTTP Strict Transport Security (HSTS) must be added to your website
If you are running Windows Server 2016 or 2019, using the PCI 3.2 or Strict templates and adding HSTS to your website will result in an A+.
If you are running Windows Server 2012 R2 or lower this update (KB3174644) must be applied. Then select the PCI 3.2 or Strict template and check TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 in the Cipher Suites tab. Finally add HSTS to your website.