This is not quite correct as far as I've been able to test. Moving ISRG Root X1 to Untrusted only breaks validation for sites serving the long chain. Sites serving the short chain such as the main LE ACME endpoint work fine.
And for IIS, you only have to make the change to the SYSTEM user's cert store rather than the Local Computer's store which means the breakage only affects processes running as SYSTEM.
It's still ultimately a hack. But it is entirely possible to have a single Windows server that:
- Serves the long chain directly from IIS
- Can still renew certs even if the renewal process runs as SYSTEM
- Doesn't affect validation at all for any user other than SYSTEM
I've personally tested this successfully on Windows Server 2019 with Posh-ACME, CTW, and win-acme.