When we were in touch with Microsoft support regarding this issue (see Certificates signed by ISRG Root X1 aren't enabled for client authentication on Windows - #9 by peterb), they made it sound like the submission for the root CA that was filed by Let's Encrypt simply did not include the clientAuth EKU (and it needs to be explicitly stated in the submission for it to be included in their trust store).
3 Likes