I always use secpol.msc to disable Revocation and Network Retrieval for Windows Certificate Path Validation to prevent Windows from contacting ctldl.windowsupdate.com, which it does even when Windows Update is disabled in policy settings and in services.msc. It works fine in Windows 10 1709-1909, but once I clean-install Windows 10 Pro 19043.844, disabling Revocation does not create any problems, but disabling Network Retrieval cuts me off the internet. When I try to use 3rd party DNS resolver, it spits out x509 Certificate error. Re-enabling Network Retrieval fixes the issue, but it also makes Windows contact ctldl.windowsupdate.com. Any ideas why Windows is enforcing Network Retrieval in version 19043.844? For now the best I can do is block ctldl.windowsupdate.com in hosts file and in firewall, but it isn't the most optimal solution.