I’m actually not sure if I really got the logic and you’re actually just checking for TLS1.0. You just checked if the key for TLS1.1 existed and not the according values.
Try this …
$RemoteComputer = Read-Host -Prompt 'Please enter computer name to CHECK TLS 1.0 and 1.1 on'
Invoke-Command -ComputerName $RemoteComputer -ScriptBlock {
if (Test-Path -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server') {
$DisabledByDefault = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'DisabledByDefault')
$Enabled = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'Enabled')
if ($($DisabledByDefault.DisabledByDefault) -eq 0 -and $($Enabled.Enabled) -eq 1) {
'TLS 1.0 is Enabled'
}
elseif ($($DisabledByDefault.DisabledByDefault) -eq 1 -and $($Enabled.Enabled) -eq 0) {
'TLS 1.0 is Disabled'
}
else {
'Either ("DisabledByDefault = 1" AND "Enabled = 1") OR ("DisabledByDefault = 0" AND "Enabled = 0")'
}
}
else {
'No key found, TLS 1.0 is not configured'
}
}
The other thing I found in my testing, on a fresh Windows 2019 server deploy with all current updates, the TLS 1.0 and 1.1 keys do not exist, but IISCrypto and other tools say it is still enabled.
If you explicitly set those keys to disabled, it disabled the protocols.