I notice that this issue doesn't contain actual problem statement; Adam only reported what he did and what happened, but not what should have happened instead.

I personally don't think that the problem stated in the title ("ssl.enum_certificates() will not return all certificates trusted by Windows") is a bug - this is correct behavior. It would be unreasonable to expect that enum_certificates() triggers a download of the entire MS root list, when Microsoft has established as a policy that download should be on demand, triggered by verification.

What I would agree *is* a bug is that the certificate verification fails; it should trigger the root download, as is platform convention (hopefully then also conforming to the group policy setting where you can disable root certificate download).

Please leave out unrelated bugs (e.g. a failure to fetch certain certificate attributes) from this bug report. Report them separately instead.