I performed the custom scan as documented on Qualys' website and quite a few servers came back as testing positive for the Heartbleed vulnerability, the results section simply stating "TLSv1". These are servers that do not have any third party software or applications installed, just IIS. According to Microsoft, their servers do NOT utilize OpenSSL and are not vulnerable to Heartbleed. Why is Qualys giving me positives on servers that do not contain OpenSSL? I contacted support about this but so far I have not been provided with any answers.