Try running these commands from a Command Prompt or an asynch Process.Start type of thing to force a root CA refresh & it's done. Simple enough.

Refreshes the root CA certificate store:

certutil -verifyctl AuthRoot | findstr /i "lastsynctime"

Refreshes the untrusted root certificates:

certutil -verifyctl Disallowed | findstr /i "lastsynctime"

Both return the timestamp of the last synch date-time. Like you said, it's supposed to happen weekly so an new Windows install won't know necessarily know about them. Running both certutil commands takes care of it.