Configure trusted roots and disallowed certificates in Windows Examining the root certificate set enables administrators to select a subset of certificates to distribute by using a Group Policy Object (GPO) This configuration is described in the Use a subset of the trusted CTLs section of this document
Updating List of Trusted Root Certificates in Windows In this article, we’ll try to find out how to manually update the list of root certificates in TrustedRootCA in disconnected (isolated) networks or computers servers without direct Internet access
Understanding Microsoft list of disallowed certificates Also, there are certificates that were revoked from MSFT CAs (used for servicing purposes) that doesn't participate in CT Logs You can get full copies of such certificates on pre-Windows 8 machines
An update is available that enables administrators to update trusted . . . Enables administrators to configure domain-joined computers to use the auto update feature for both trusted and disallowed Certificate Trust Lists (CTLs) The computers can use the auto update feature without accessing the Windows Update site
Configure Trusted Roots and Disallowed Certificates Manual: The list of trusted root certificates is available as a self-extracting IEXPRESS package in the Microsoft Download Center, the Windows catalog, or by using Windows Server Update Services (WSUS)
The Microsoft Root Certificate Program – Michael Waterman Normally your Certificate Revocation List (CRL) will take care of that, but it’s always a good idea to do an additional check As far as I know, Windows doesn’t have a build in tool to verify Root Certificates as I have always used the Sysinternal SigCheck tool for this purpose