I have recently been testing Windows in FIPS-compliance mode for compliance with a common security policy mandated by a state government agency. This included my assigned laptop, which is running Windows 8.1 Update Enterprise x64.
As part of the test, I enabled the "System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms" both in local security policy on my machine and later via a test GPO. Since that test has completed, I have deleted the GPO and disabled the setting in local security policy. I've also rebooted several times to verify the setting is truly disabled and also tried creating a GPO that forces that setting to disabled.
What I am seeing is, since performing these tests, I can no longer enable TLS 1.1 or 1.2 on IE11. They were previously enabled. The settings for SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2 are all grayed out. SSL 2.0, SSL 3.0, and TLS 1.0 are checked (and cannot be unchecked) and TLS 1.1 and TLS 1.2 are unchecked (and cannot be checked).
Suspecting group policy, I put my user account and computer account in an OU that has group policy inheritance blocked and made a GPO that only forces SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2 on for my user account and applied it to my test GPO. The particular setting is Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Advanced Page | Turn off encryption support | Use SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2. I ran gpupdate /force, rebooted, checked local security policy to confirm that my laptop is not in FIPS mode, then checked the IE11 advanced options and there was no change.
How can I get TLS 1.1 and TLS 1.2 back?