Root certificates on Windows Vista and later are distributed via the automatic root update mechanism – that is, per root certificate. When a user visits a secure Web site (by using HTTPS SSL), reads a secure email (S/MIME), or downloads an ActiveX control that is signed (code signing) and encounters a new root certificate, the Windows certificate chain verification software checks Microsoft Update for the root certificate. If it finds it, it downloads the current Certificate Trust List (CTL) containing the list of all trusted root certificates in the Program, and verifies that the root certificate is listed there; it then downloads the specified root certificate to the system and installs it in the Windows Trusted Root Certification Authorities Store. If the root certificate is not found, the certificate chain is not completed, and the system returns an error. To the user, a successful root update is seamless. The user does not see any security dialog boxes or warnings. The download happens automatically. In addition, Windows Vista and later client SKUs support weekly pre-fetching from Microsoft Update to check for updated root certificate properties (for example, extended validation (EV), code signing or server authentication properties, which are certificate properties added to a root certificate).
For detailed technical information about how Windows updates root certificates in Windows Vista and later, visit the following Web site: Certificate Support and Resulting Internet Communication in Windows Vista