According to this answer IIS can use Authority Information Access certificate extension to retrieve missing issuer certificate.
Here's the scenario. There's an IIS installation with an HTTPs endpoint which has an SSL certificate. Normally the IIS owner must also install all the intermediate certificates into the local "Intermediate Authorities" ("CA") store so that when a client connects the server can send all the chain except the root certificate. However IIS owner may forget to install the intermediate certificate. Then according to that answer IIS will use AIA and retrieve the intermediate certificate and continue serving it to all clients.
Looks like this is the default behavior and I cannot find how it can be changed.
Can I prohibit IIS from fetching intermediate certificates? Are there any settings for that?