Where to get root CA certificates for Windows Server now that Microsoft no longer updates them?
It seems that this is due to the oddball GPO that my company uses.
As outlined here the GPO setting Computer Configuration\Administrative Templates\System\Internet Communication Management\Turn off Automatic Root Certificates Update was Enabled, meaning that the OS wouldn't pull root CAs from Microsoft. Setting this to Disabled fixed the issue.
We found that the root CAs were out of date on some of our Windows 2012 R2 servers.
Having investigated this is appears Microsoft released a patch to provide the ability for "Controlling the Update Root Certificates Feature to Prevent the Flow of Information to and from the Internet" (KB article).
This patch introduces new registry keys for stopping Windows Update from updating the root CAs along with other functionality.
Setting the following registry Key to 0 fixes the problem. The certificates begin installing immediately after the change.
Whilst I can see that Admins may want to control their machines from updating without their consent, I think not allowing root CAs to update is an edge case which is likely to cause more problems that it fixes and I do not yet know why the registry key has been set on our servers.
There is discussion of these registry keys and other things you can do on Windows 2012 R2 servers here