Hello @Chong ,
Thank you so much for posting here.
If the root CA is standalone offline root CA, we must publish the root certificate into AD using the following command and then the root certificate will be distributed to the trusted root store of all domain joined clients.
certutil -f -dspublish <RootCACertificate> RootCA
If the root CA was joined to the domain, this will eventually happen automatically, but it can take up to 8 hours (default GPO application time). To force the issue, reboot a client computer and it will pick up the root CA certificate.
There is no GPO configured to distribute the root certificate.
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.