maybe u needed to update the win 10 machine CU updates are up to 15063.447.....also win10 was really design to run on SRV2016. maybe it had to do with policy setup in the server.
Normally, any Windows since Vista manages the root certificates by itself (through a scheduled task IIRC). Sometimes, that process fails for unknown reason and rootsupd.exe might give it a "kickstart". Since the important MS certificates are long-term, rootsupd.exe still works today, despite not being updated any more.