TLS1.0 is considered broken and obsolete and a growing number of servers no longer support the protocol by default. The Jenkins master web server is one of them, and disabled TLS1.0 in some recent update, when the server is set up for HTTPS communication.
The Windows service wrapper used to start slave.jar as a service on Windows is written in .NET. For some reason Microsoft has set TLS1.0 as default protocol for the .NET Framework. Thus the service wrapper can not connect to a HTTPS configured master and download updates of slave.jar.
If a recent enough .NET Framework is installed in the Windows environment, the default behavior can be changed both run-time/per-process and with system settings: https://johnlouros.com/blog/enabling-strong-cryptography-for-all-dot-net-applications
It would be great if the service wrapper could be updated to override the default system settings.