From time to time I get some questions regarding certificates, users get certificate errors on newly installed computers.
Since certificate are time limited and some will be revoked for what ever reason, the certificate store needs to be updated. Usually this is handled by Windows update, WSUS, SUP or something similar, but what should you look for to approve?
A search at http://www.microsoft.com/download for Root certificate will help you and this will give you a result that looks something like this:
Direct link for the latest at the moment: http://www.microsoft.com/download/en/details.aspx?id=28175
Just add this in your task sequence to make sure you have all new certificates from the beginning, and hopefully your Internet Explorer certificate errors will be gone!
DeployWindows 
This is one way of doing it, but i disagree that it is the best method.
i would distribute the certificates with Group policy instead, this gives the administrators more power over what is trusted and what is not, since the company’s security policy might disagree with Microsoft on which PKI structures that is to be trusted.
But as for unmanaged clients, this will work.
LikeLike