Issue was caused by a recent update to our TLS library that disabled SHA-1 signature hashes But this is the only signature hash supported by Windows Server 2012 and 2016, so this caused a regression as new TLS sessions would now fail to be established. The fix was to re-enable SHA-1 signature hashes.