TL;DR: do one of those, anything will work
open https://valid-isrgrootx1.letsencrypt.org from IE, edge, or chrome (firefox uses own store so doesn't work here) Or
Run this one liner command to run in windows clinet to fetch the ISRG root from MS
powershell invoke-webrequest -usebasicparsing https://valid-isrgrootx1.letsencrypt.org
it will spit out result of webrequest but you can discard it.
then restart your problematic program.
powershell invoke-webrequest uses MS's verification stack so it can fetch new root certificate from MS
-usebasicparser is because otherwise you need initialized internet explorer to run, which I can't assume
Problem is windows doesn't have all trusted root certificate by default, but download from MS server when they first need to verification against that.(Lazy-loading) but if a program load trust store from local file run their own verification stack, ISRG root cert isn't in local file so it's untrusted, and it won't ask MS server to load new root certificate.
so to fix this you should connect something that uses ISRG root certificate from program that use windows internal verification process. for TLDR I pick powershell invoke-webrequest, but you can use anything you are easy to work with.
for long term solution as programmer that write the client, you should either use windows' cert verification stack, or bring your own trust store with your own trust anchor (like from Mozilla's NSS) loading (system) CAs from windows than using your own verification functions is not a valid option. (if you use latter you probably should also load user-trusted enterprise CAs added in windows too)
wrote some to use as point-to thread from problems with "windows don't have Isrg in local yet beacause lazyloading" problem.
any improvement will be welcome and need better name for this thread to draw attention