Why does Best Practices still include TLS 1.0?

Unfortunately if you disable TLS 1.0 you will break some user's connections. All versions of Internet Explorer on Windows Vista and older as well as Android versions 4.3 and lower will not be able to connect. For a full list of web browser compatibility click here. If you are comfortable with disabling TLS 1.0 and 1.1 we recommend using the built in PCI 4.0 template instead.

IIS Crypto 3.3 is the last version that will enable TLS 1.0 and 1.1 in the Best Practices template.