Your question appears to be pretty large in nature. If you want to get into each app, you’ll need to craft something together or use a port scanner security tool I am afraid.
Example: In our case, we opted to disable old protocols at the OS level but frequently get hits on TLS still such as BigFix, BigFix WebReports, and BigFix Server Notification service. By default, each is/was not using TLS 1.2 and the port scanner found these. We fixed each with their respective properties/fixlets/app.