Can your IT automation place the certificates that need to be trusted into the $USER/.ignition/clientlauncher-data/certificates folder on machines that will be launching clients and designers?
The same can be done on the gateway using $IGNITION/data/certificates/supplemental as well. Then you don't have to mess with using the windows certificate store.