Just an update on this, we encountered a problem were certain websites were failing to load because they were using 256bit elliptic curve functions instead of 384 or 521bit like I expected. SCHANNEL config in Windows is tricky because you only get 1023 characters and there's a lot of ciphers to choose from. I've adjusted the config a bit, keeping ciphers with forward secrecy at the front and pulled out some of the older DSA-based ciphers with SHA signing that aren't likely to be used to make room. Updated config is attached.