By default the Windows Server operating system contains very few Trusted Root Certification Authority certificates.

In this case, Windows Server 2016, the certificate store contains just sixteen CA root certificates, which leads to trust issues when browsing public and third-party websites using Internet Explorer hosted on Citrix XenApp Virtual Delivery Agents.

According to Microsoft:

The Automatic Root Certificates Update component is designed to automatically check the list of trusted authorities on the Microsoft Windows Update Web site. Specifically, there is a list of trusted root certification authorities (CAs) stored on the local computer. When an application is presented with a certificate issued by a CA, it will check the local copy of the trusted root CA list. If the certificate is not in the list, the Automatic Root Certificates Update component will contact the Microsoft Windows Update Web site to see if an update is available. If the CA has been added to the Microsoft list of trusted CAs, its certificate will automatically be added to the trusted certificate store on the computer. Automatic Roots Certificate Update Configuration

This of course can add additional time to web browsing and depending on WIndows Services, GPO configuration and connectivity may not be possible for a user to complete. Therefore it is advisable to update the Trusted Roots Certificate Store reguarly as part of your VDA Master Image maintenance routine using the following commands that may be run from a Powershell console.

# Create C:\temp\certs
md C:\temp\certs

# download latest SST from Microsoft
CertUtil –generateSSTFromWU C:\temp\certs\RootStore.sst

# Import RootStore.sst to Trusted Root CA Store
$file=Get-ChildItem -Path C:\temp\certs\Rootstore.sst
$file | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root\

After completing this procedure, the Trusted Roots Certificate Store will contain well over 350 CA root certificates.

Configure Trusted Roots and Disallowed Certificates

An update is available that enables administrators to update trusted and disallowed CTLs in disconnected environments in Windows