Microsoft CTL pushing out trust of expired SHA1 roots

Hi,

Does anyone have any idea why (and I've checked the list of certs needed for Windows code signing, not that) Microsoft are still pushing out numerous expired SHA1 Root CA certs in the Certificate Trust List?

I did a download today to identify why three in particular keep turning up on customers clients, namely these three:

• "DE3F40BD5093D39B6C60F6DABC076201008976C9" QuoVadis Root Certification Authority
• "DAC9024F54D8F6DF94935FB1732638CA6AD77C13" DST Root CA X3
• "02FAF3E291435468607857694DF5E45B68851868" AddTrust External CA Root 

Does anyone know who is best to contact at Microsoft to identify why this is still the case? Any Microsoft Engineers about, or twitter/linkedin people worth a shout?

It seems that pushing out SHA1 certs is still a risk and increasingly security conscious customers are looking to clean up low level items like SHA1 certificate trusts to prevent MITM/impersonation/false code-signing etc that could be spawned from trusting a SHA1 CA.

Whilst the fact that these certs are expired and/or revoked, that in itself doesn't protect offline systems or systems with CRL checking disabled (which some of the security conscious customers have on some sytems 'because reasons').

Surely unless these certs are critical for system stability (code signing etc) then they should be removed from the CTL updates which keep pushing them back onto clients? Isn't that kind of the point of the CTL?

Also, the new certificate module for defender for endpoint picks these up as expired and risky SHA1 certificates!