@imnotafeline @Em0nM4stodon The NSA does not run a Root CA, and even if they did it’s not like anyone with Admin privileges (Local, Domain, or Enterprise) can’t go into certlm.msc
and disable/ delete the “suspected” Root CA from the Local Certificate Store.