Why does WinVerifyTrust() failing only on machine which is not connected to internet?

I wanted to check the trust of the one of the .exe file in our project for which I am using C#.

I have referred - http://pinvoke.net/default.aspx/wintrust/WinVerifyTrust.html

Here is my code snippet.

WinTrustData wtd = new WinTrustData(filename);
Guid guidAction = new Guid(WINTRUST_ACTION_GENERIC_VERIFY_V2);
WinVerifyTrustResult result = WinVerifyTrust(INVALID_HANDLE_VALUE, guidAction, wtd);
bool valid = (result == WinVerifyTrustResult.Success);

filename - is nothing but .exe file path.

WinVerifyTrust() mentioned in above code returns "WinVerifyTrustResult.Success" only if machine is connected to internet at least once.

However on fresh machine it returns "0x800b0100" i.e.- "Trust_e_nosignature".

Is it expected behavior? If yes then how to resolve it?

I searched for this specific behavior but did not found any satisfactory answer.

Windows (7+) is shipped with a very limited set of root certificates.

Those are downloaded on demand. This could be the reason why the authenticode signature could not be verified if a computer was never connected to the internet before (but still, I suppose that just connecting to the internet is not sufficient, but some surfing to https pages or verifying the authenticode signature is necessary so that the "right" root certificate is downloaded).

You can verify this by checking/counting the ca certificates which are installed in the internet explorer before and after connecting to the internet.