Older versions of Windows may not include the necessary CA and would have downloaded it automatically from Windows Update. If root certificate updates are disabled or a firewall prevents it from getting new certificates from Windows Update then it may be missing.
Do you have root certificate updates disabled in Group Policy? (Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication Settings)
Unfortunately, there is a lot of bad security advice floating around on the Internet that suggests turning this off. If you do not regularly audit CAs and add them to the certificate store manually yourself then you really should not turn this off.
If it is not turned off, check your Event Log for errors starting with Failed auto update retrieval of third-party root list. If this error is present the computer is being blocked from contacting Windows Update for the new root certs somehow.