Ah, of course. I should have thought of that. Yes, Microsoft assumes that you wouldn't be in a case where one was trying to validate a new certificate while not having Internet access to them. It looks like that assumption doesn't hold in your case.
It's not clear to me how Microsoft chooses which roots get actually pre-bundled rather than only-download-on-demand. I suppose it's possible that Let's Encrypt might have more luck reaching out to them and asking than you might, but I wouldn't expect a whole lot of luck either way. (To be slightly more optimistic, in this thread Let's Encrypt contacted Microsoft to change the root in their store to be trusted for Client Authentication, so it looks like changes of some sort are at least possible.)
In the meantime, I think that if you're going to have systems without Internet access that need to be able to validate Let's Encrypt certificates, you'll need to add the root to their trust store manually, by like downloading ISRG Root X1 self-signed pem from Let's Encrypt directly and installing it, like via USB stick or adding it to the image you're cloning from or whatever "sneakernet"/non-online method makes sense for you.