Trusted Root Certificate Authority

in each devices of Windows Operating System will have the Trusted Root Certificate Authority that store into the Certificate repository. Normally this will be handle automatically by Windows Update but many organization using their own patch management where it have done the firewall level of security to prevent the devices not to update. With this situtation you may need to seek your security team to open the Windows Update port to do the Updates or you may needed to do in manual method by using PowerShell Scripts. You can used the below PowerShell Script to do the checking and update.

You can list the expired certificates, or which expire in the next 60 days:

Get-ChildItem cert:\LocalMachine\root|Where {$_.NotAfter -lt (Get-Date).AddDays(60)}|select NotAfter, Subject

To generate an SST file on a computer running Windows 10 or 11 and having direct access to the Internet, open the elevated command prompt and run the command:

mkdir C:\PS certutil.exe -generateSSTFromWU C:\PS\roots.sst

Copy to the file and put into a share folder or map drive for easy deployment. Like below example I have put into my NAS storage (192.168..1.8) and share a folder to all local computers. You can used the PowerShell Scripts below to import all the certificates into the Windows End-Point Devices.

$sstStore = ( Get-ChildItem -Path '\\192.168.1.8\share\root.sst' )
$sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root

Run the certmgr.msc snap-in and make sure that all certificates have been added to the Trusted Root Certification Authority. Example like I am using WIndows 11, the number of total root certificates increased above 400. Than you successfully updated the Microsoft Trusted Root Certificate Authority Store. As my personal opinion, this tasks will need to do it every month where Microsoft will update this Microsoft Trusted Root Certificate Authority Store every 2 weeks.