DisabledByDefault (or lack of it) does not mean it's totally disabled
https://stackoverflow.com/a/51962330
this mean on Windows 7 (with default SChannel registry), apps or components can still negotiate and enable TLS 1.2 on their own per request
like Windows Update, which communicate with https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx
or powershell
$Tls12 = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072); [System.Net.ServicePointManager]::SecurityProtocol = $Tls12; Invoke-WebRequest -Uri https://www.howsmyssl.com/a/check | ConvertFrom-Json
if you want to enable TLS 1.2 for all by default, then add the required registry for the 4 parts (SChannel, IE11, WinHTTP, .NET)