I'm running IIS on 2008 R2, 2012 R2, and 2016 Servers. We're currently using a GPO to remove weak ciphers and put them in the optimal order. We receive an A when scanning our sites, however, today I noticed that it's still showing that we're using ciphers that i have definitely removed either by the GPO or manually with the IIS Crypto tool. For some reason, SSLLabs still shows them and marks them as weak.
As an example, I removed all the TLS_RSA ciphers and am only sing TLS_ECDHE ciphers, which should all be strong I believe. The TLS_RSA ciphers still show up in my scan. I've seen a few other posts where users reference a Registry edit. Is that what I'm missing? And if so, what is the point of using the IIS Crypto tool and/or a GPO to configure cipher preference/order if you aren't actually removing the weak ciphers in the process? I guess I'm just not seeing the connection. Any information will be greatly appreciated.