I'm trying to figure out what userrights or group membership would be necessary to allow normal built-in\users read-access to a remote server's certificate store via certmgr.msc (or "manage computer certificates"). As seen below, one of the users I had test from their laptop opened certmgr and selected "connect to another server", but then received "you do not have permissions to manage the certifcate store". The only thing I've seen is possibly adding registry permissions so they can query, but that was from a pretty old winsrv2012 article that was more towards using posh to query. I'd just prefer admins not have to stop and check server cert stores, since I'm not supposed to allow everyone RDP access.
Windows stores LocalMachine certificates in the registry, so your users need access to connect to the Remote Registry service, and the service must be running. By default, only Administrators and the Backup Operators group have permission.
To give access to other users:
HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winregIt looks like you can give
ReadKeyrights for read-only access.Also note that the windows cert store allows all users to read the public certificate information, but only Administrators and SYSTEM can read/export the private keys. This can be adjusted per-certificate in certlm.msc by right-click the cert > All Tasks > Manage Private Keys.