Powshell snippet
$repoPath = \\<fileserver>\<share>\WindowsUpdate-RootCertsRepo
Certutil -syncWithWU -f $repoPath
$sstStore = ( Get-ChildItem -Path $repoPath\*.crt )
$sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root
Note: avoid importing SST file using generateSSTFromWU cerutil switch as it appears to corrupt microsoft root certs.
ref > https://social.technet.microsoft.com/Forums/en-US/13dc04f9-0f53-4071-8440-7d90d6ec9c6e/microsoft-root-certificate-authority-reported-as-revoked?forum=win10itprosecurity