[useerup]

The list of root certs is distributed as an update through Windows update. It is not just an on-demand root cert. An organization that vets updates before applying them to production systems will also need to vet such an update.

The updates are indeed very auditable. Any organization who chooses to selectively apply updates will not have new root certs appear out of channel.

Of course Microsoft needs to be able to update the root cert list. It has been used to remove certs as well (Diginotar). However, when they do so, it needs to be transparent. Windows Update is transparent. The very article you linked even goes into details about this.

Which means that your claim that "Microsoft can add a new root certificate to a user's system at will" is false. If you do not automatically install all updates or if you use WSUS, root certs will only be updates if you allow the update through.

The process outlined in your linked article describes how Windows will attempt to find and install the Windows Update package from the cert chain. This does NOT bypass the Windows Update mechanism; it merely looks for a package in the catalog with the root cert that was requested by following the chain.