Unable to disable FIPS without breaking RDS

Hello,

We are required to disable TLS1.0 on all our servers and found that in one RDS deployment FIPS is enabled which is basically forcing TSL1.0 and 1.1 to be on.  In our config we have the broker, gateway, and rdweb on one server with remoteapps and full desktop sessions on 2 separate session hosts.

Only the broker has FIPS enabled. The Session hosts do not have it. All servers have the registry keys to disable TLS1.0, TLS1.1, SSL2 & 3, PCT and MPUH as well as disabled weak ciphers (RC2 RC4 DES etc). When we turn off FIPS on the broker/gateway we see that it can no longer manage the RDS settings for any of the servers in the RDS pool including itself.

In the System log we get SCHANNEL event IDs:

Log Name:      System
Source:        Schannel
Date:          6/19/2018 2:36:42 PM
Event ID:      36871
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      <removed>
Description:
A fatal error occurred while creating an SSL client credential. The internal error state is 10013.


Log Name:      System
Source:        Schannel
Date:          6/19/2018 2:56:56 PM
Event ID:      36874
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      <removed>
Description:
An TLS 1.1 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.


Log Name:      System
Source:        Schannel
Date:          6/19/2018 2:56:56 PM
Event ID:      36888
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      <removed>
Description:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

We have a public (InCommon) cert signed with SHA256 (not SHA512 as I've read about issues with that) that has been working fine for over a year with FIPS on. Everything else we've found so far makes it seem like it should work, but it does not for us. We've even tried using IISCrypto and that makes no difference.

Any help in getting to th e bottom of this would be greatly appreciated.