Certificate store ACL change supportability
You may find a security assessment report that recommends you change the Access Control List (ACL) for ProtectedRoot certificate store in the registry.
Microsoft does not recommend making this change to the ACL for ProtectedRoot certification in the registry.
Changing ACL’s on certificate stores is not supported or tested. Functional impairment can be the result and careful testing for the customer specific situation/effects is recommended.
Controlling the root ca list can be done by GPO and there is no need to modify the ACL’s on the persistency containers to achieve the target. Check the documentation on “Enterprise Trusted Root Certificates”
For more information on this issue, including potential causes, workarounds, and resolutions, see: Microsoft KB Article KB965500.