TLS 1.1 is set as a recommended value in the latest security baseline

This particular setting in the Windows 11 24H2 baseline often causes confusion because it doesn’t enable TLS 1.1 — it only controls what appears in the Internet Options UI for legacy components.

Even though the baseline says “Use TLS 1.1 and TLS 1.2”, modern Windows versions already disable TLS 1.0/1.1 by default at the OS level for Schannel-based apps.
The Group Policy item simply aligns IE/legacy UI settings so that older applications relying on those dialogs don’t break during audits or compliance scans.

Microsoft’s recommended protocol set remains TLS 1.2 and TLS 1.3 for all modern workloads.
TLS 1.1 is not being re-enabled — the baseline entry is a compatibility UI requirement, not a security rollback.

Hello Kayoda23,

Regarding the Windows 11 24H2 security baseline item:

The setting “Enabled: Use TLS 1.1 and TLS 1.2” does not mean that TLS 1.1 is recommended. This reflects what is already included in configuration options, mainly to avoid breaking existing systems or production environments, since some legacy applications may still require TLS 1.1 like SQL server 2012, 2014 and 2016.

From a modern security perspective, the recommendation is to use TLS 1.2 or higher (ideally TLS 1.3) and disable TLS 1.1 wherever possible.

In short, TLS 1.1 is included for compatibility reasons, not as a best-practice recommendation.

Thanks,

Moetaz RABAI