I have doubts that this is really always up to date (this might not even be machine generated, but maintained in some Excel file at Microsoft...). Anyway, the 'actual' source of truth (the authoritative root file hosted on Microsoft servers, here) contains the Client Auth EKU for both certificates (I used this to parse the trust store file).
I've written a likely explanation here: Microsoft Windows Root Certificate Lazy-Loading - #5 by Nummer378