IIS Crypto... What is the point of "Client" settings?

Question

On Windows server machines there's registry keys that a program called "IIS Crypto" changes that are for the server AND the client.

If I set the server side to only accept TLS 1.2, what effect does ticking/unticking the client ciphers have?

I've read they should be ticked/unticked in pairs, but I've read nothing on this edge-case! For understanding the security implications, I'm trying to find out what happens if the ticks are "mismatched".

What I don't get is - if the server's set to use TLS 1.2 at the lowest for "Server", and the server's "Client" settings are TLS 1.1, and TLS 1.0... what on earth would that do with the handshake?

Does that mean the server only talks with TLS 1.2, but the client can talk to the server with TLS 1.1, and TLS 1.0?

I tried to work it out myself, thinking it through but as far as I understand it, the ciphers come in pairs - if a client can decrypt server messages encrypted with TLS 1.2, it can encrypt it's own at that level... so while the registry and IIS Crypto let the "Server" and "Client" settings be ticked differently, the end result is use actually whatever the client and server have of the strongest "Server" settings in IIS Crypto.....

And I'm back to square one! What's the point of the "Client" settings if the client and server both use whatever's strongest out of the servers "Server" settings?

I'm guessing the servers "Client" settings are actually for some other part of the security system and not the SSL handshake in IIS?

Answer 1

Sometimes the server will act as a client. e.g. I may call a web API that is hosted on Windows 2008 that does not support the latest TLS, in that way, my server needs to set client TLS support to 1.0 but the server TLS support can still be 1.2.

https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-handshake-protocol