The standard process (which would automatically download and install the ISRG Root X1 cert) is broken on the affected machines. That's the problem. Unfortunately, there's not a lot of common knowledge out there regarding how this gets broken. And without knowing how each user's machine broke, you can't begin to fix their (potentially different) problems.
Installing the ISRG Root X1 certificate manually is a work around that should fix this particular symptom of the underlying problem. It can be as simple as providing a registry file that they can double-click to import the certificate such as this one. You'll have to remove the .txt extension because the forum won't let me attach .reg files.
ISRG Root X1 - HKLM - AuthRoot.reg.txt (11.1 KB)
But some users (with good reason) may not want to trust a random registry file from "some guy on the Internet". The more trustworthy instructions are also more complicated.
- Download the cert directly from Let's Encrypt here
- Install it into the Local Computer's
Trusted Root Certification Authoritiescert store, the process for which varies depending on the OS version.