The default policy of a Microsoft client validating a certificate with name constraints asserted is that all names have to be explicitly permitted. For example, if a name constraint does not specify the e-mail name as a permitted type, and a certificate request contains an e-mail name, the request will be rejected. It is possible to relax this policy and implicitly allow names not defined in the name constraint extension by configuring the CA policy in the registry."
As I see it, that is happening because the Name Constraints have the Excluded Field set but the Allow Field is None, so because how the Name Constraints have to be Explicitly permitted, this will fail. A workaround is to change that on XP Registry which I think is pretty fair as XP is like a Fossil. Or LE could have besides the Excluded ‘.mil’ TLD have all other TLD in the world, explicitly permitted in the Allow Field, your call buddy!
Edit: I tried to find where I could change that behavior as the MS doc said, but I couldn’t, here is where I think it should be: https://msdn.microsoft.com/en-us/library/windows/desktop/aa380258(v=vs.85).aspx#certificate_chain_structures
Maybe I lack the understanding to get this information.