You can list the expired certificates, or which expire in the next 30 days: Get-Childitem cert:LocalMachineroot |format-list You can also get a list of trusted root certificates with expiration dates using PowerShell:
How to see the list of root certificates of a Windows computer? Managing Trusted Root Certificates in Windows 10 However, it isn’t always possible or applicable due to corporate restrictions.
Note. If your computers access the Internet through a proxy server, in order to automatically update root certificates on users’ computers, Microsoft recommends that you open direct access (bypass) to Microsoft websites. In this article, we’ll try to find out how to manually update the list of root certificates in TrustedRootCA on isolated networks or computers/servers without a direct Internet connection. If Windows doesn’t have a direct access to the Windows Update directory, the system won’t be able to update the root certificates, so a user may have some troubles with opening websites (which SSL certificates are signed by an untrusted CA, or with installing/running signed scripts and apps. Windows requests a trusted root certificate lists (CTL) renewal once a week. If the verified certificate in its certification chain refers to the root CA that participates in this program, the system will automatically download this root certificate from the Windows Update servers and add it to the trusted ones. As part of the Microsoft Trusted Root Certificate Program, MSFT maintains and publishes a list of certificates for Windows clients and devices in its online repository. All Windows versions has a built-in feature for automatically updating root certificates from the Microsoft websites.