Ok here is a little tip when trying to add trusted root certificate authorities to Skype for Business 2015 and Lync 2010/2013 Edge servers.
Microsoft have a list of Unified Communications Certificate Providers detailed here: https://support.microsoft.com/en-us/kb/929395
Windows now automatically downloads Trusted Root certificates when you access a web page on HTTPS. We can exploit this to get all Trusted Root certificates on our Edge servers which is required for Federation to work correctly. An example of this is where you only get one way IM or a federated partner may see your presence as unknown.
First of all you need to allow HTTPS (TCP/443) out from your Edge server(s). If you don’t want to bug the Firewall admin you can stop SfB/Lync Services (Stop-CsWindowsService) and remove the Access and Webconf IP addresses from the external NIC. The AV Edge IP should already have TCP/443 outbound.
Next you need to open up Internet Explorer and navigate to the HTTPS site of each Certificate Provider in the list provided by Microsoft, e.g.:
Once complete you will see that Trusted Root Certification Authorities is now populated:
If you have removed your Access and Webconf IPs from the external NIC, re-add them and start the SfB/Lync services (Start-CsWindowsService)