I have recently run into an issue where a self-signed certificated was removed from all workstation Trusted Roots Store. No scripts were run or GP's to pushed to do this. I have ready many of articles on this and mention that sometime Windows AutoUpdate Root Certs and delete a certificate. My theory is and this is out there our self-signed certificates Serial NUmber matched or partically matched that of a CRL on a CRL. My question is there some way to check the serial number of our certificate again MS CRL? What interval does MS use to have workstations automatically remove certificates, is this weekly, monthly , daily?