Root certificates are used when you use Secure Socket Layer (SSL) on a Web site. Microsoft has added dozens of organizations to the list of trusted authorities. Microsoft uses specific criteria to add companies to this list. According to Microsoft, many users have limited resources to verify the authenticity of an authority; as a result, these users are unable to decide who to trust. As a public service, Microsoft provides the Update Root Certificates feature, which automatically adds new trusted authorities that were blessed by Microsoft to your trusted authorities list.
Some people will find it interesting that, in the case of DRM technology, Microsoft (and other vendors) can add applications running on your computer to their blacklist without your knowledge. With automatic root certificate updates, Microsoft decides (on your behalf) who you should trust because they figure that you're "uncomfortable" making the right choice. If you prefer to make your own decisions about who you should trust, you can remove the Update Root Certificates feature.
As I've pointed out earlier, Microsoft uses special criteria to add vendors to the trusted list. However, if these "trusted" vendors were to mistakenly issue some fraudulent certificates, then we are all at risk. That's exactly what happened last year when VeriSigna trusted third partyissued a pair of fraudulent digital certificates to an imposter claiming to be a Microsoft employee. For more details, check out the article "Microsoft Updates Windows to Combat VeriSign Glitch." In general, one will hope that updating the root certificates automatically is not a security risk. However, if you decide to disable this feature, use the following method on a standalone computer:
Go to Control Panel, Add or Remove Programs.
Click Add/Remove Windows Components.
Uncheck the box Update Root Certificates, as shown in Figure 5.
Figure 5 Disabling automatic updating of root certificates.
On a domain, you can disable the root certificate updates by implementing a Group Policy. However, make sure you understand the ramification of disabling this feature. Among other things, it can significantly increase the workload because you will have to do some research before you add organizations to your trusted authority list.