Download root certs for offline computer

Generate-SyncCerts.ps1

certutil -syncwithwu -f -f .\certs

$certFiles = Get-ChildItem "$PSScriptRoot\certs\*.crt"
$certCommands = $certFiles | %{'certutil -addstore root "%~dp0certs\' + $_.Name + '"'}

extrac32 /Y .\certs\authrootstl.cab .\certs\authroot.stl
extrac32 /Y .\certs\disallowedcertstl.cab .\certs\disallowedcert.stl
extrac32 /Y .\certs\pinrulesstl.cab .\certs\pinrules.stl

$outputCmdPath = "$PSScriptRoot\update-certs.cmd"

'REM Run on target computer' | Out-File -Encoding ASCII $outputCmdPath
$certCommands | Out-File -Encoding ASCII -Append $outputCmdPath

'certutil -addstore -f root "%~dp0certs\authroot.stl"' | Out-File -Encoding ASCII -Append $outputCmdPath
'certutil -setreg chain\PinRules "@%~dp0certs\pinrules.stl"' | Out-File -Encoding ASCII -Append $outputCmdPath

'' | Out-File -Encoding ASCII -Append $outputCmdPath
'REM Windows 7 is importing primary signing certificates.' | Out-File -Encoding ASCII -Append $outputCmdPath
'REM certutil -addstore -f  disallowed "%~dp0certs\disallowedcert.stl"' | Out-File  -Encoding ASCII -Append $outputCmdPath