diff --git a/images/win/Windows2019-Azure.json b/images/win/Windows2019-Azure.json
index c93f79e75..7376f98ca 100644
--- a/images/win/Windows2019-Azure.json
+++ b/images/win/Windows2019-Azure.json
@@ -110,6 +110,12 @@
                 "{{ template_dir }}/scripts/Installers/Update-DotnetTLS.ps1"
             ]
         },
+        {
+            "type": "powershell",
+            "scripts":[
+                "{{ template_dir }}/scripts/Installers/Install-RootCA.ps1"
+            ]
+        },
         {
             "type": "windows-restart",
             "restart_timeout": "10m"
diff --git a/images/win/scripts/Installers/Install-RootCA.ps1 b/images/win/scripts/Installers/Install-RootCA.ps1
new file mode 100644
index 000000000..824b2b465
--- /dev/null
+++ b/images/win/scripts/Installers/Install-RootCA.ps1
@@ -0,0 +1,24 @@
+# Serialized Certificate Store File
+$sstFile = "$env:TEMP\roots.sst"
+# Generate SST from Windows Update
+$result = certutil.exe -generateSSTFromWU $sstFile
+if ($LASTEXITCODE -eq 0) {
+    # Dump certificates
+    $result = certutil.exe -dump $sstFile
+    if ($LASTEXITCODE -eq 0) {
+        # Import Root CA into "Trusted Root Certification Authority"
+        try {
+            Import-Certificate -FilePath $sstFile -CertStoreLocation Cert:\LocalMachine\Root
+        } catch {
+            Write-Host "[Error]: failed to import ROOT CA`n$_"
+        }
+    }
+    else {
+        Write-Host "[Error]: failed to dump $sstFile sst file`n$result"
+    }
+}
+else {
+    Write-Host "[Error]: failed to generate $sstFile sst file`n$result"
+}
+
+exit $LASTEXITCODE
\ No newline at end of file