I am receiving a bad grade for my Diffie-Hellman Prime length being less than 2048-bits. I am running Windows Servers and tried to edit the cipher orders in IIS. After reboot, and rescanning on ssllabs, it still shows the ciphers I removed. I have also tried to apply "Best Practices" in the IIS Crypto 2.0 and rebooted but also same result. No changes are being applied. I have read weakdh.org but do not understand how to generate a new DH group on a Windows Server.
Any help or direction would really be appreciated. Thanks in advance.