In June 2013, Microsoft issued an update that makes the update of CTLs (Certificate Trust Lists) easier in disconnected environments. For the purposes of automatic updating, Microsoft considers any environment that does not have access to the Windows Update site as “disconnected.”
The new update enables Windows PKI administrators to:
- change the update location from the predefined Windows Update URL to an intra-organizational shared folder that is reachable from disconnected clients
- selectively disable/enable updating of either trusted or untrusted CTLs
- create a custom set of trusted root certificates and distribute it via Group Policy.
The relevant knowledge base article can be found here, and its supporting documentation here. It is worth noting that the update is included in Windows Server 2012R2 and Windows 8.1, and does not apply to Windows XP and/or Windows Server 2003.