We deploy hardened Windows Server 2022 servers in AWS. These servers reach out to RDS servers using a TLS encrypted channel. During the TLS negotiation, the Windows server is reaching out to Windows Update, presumably to get a current list of trusted root authorities (we found this by watching network traffic with Wireshark - it was very repeatable). These servers do not have any access to the public internet, so the download times out. The connection to the database times out before the windows update download times out, so the database access fails.
In the old days (say Windows Server 2012 era), there was a registry setting that you could use to control how certificates were verified. I think you could specify 1-5 and it would behave differently depending on how you would pick that. I don't think that had to do with the trusted root update as much as whether it reached out to download a CRL.
My question is "Does anyone know how to stop Windows from downloading a list of trusted roots during the TLS handshake and force trust of the server certificate presented by RDS?" Or some other way to make this connection happen without public Internet access.