Trusted Root Cert without extended key usage means trusted for everything in MS, not only for Server Authentication.

[orangepizza]

for example, in ISRG Root X1 https://crt.sh/?caid=7394 while crt.sh show that it cannot used for any use other then Server Authentication. but in windows certlm it show that ISRG Root X1 is trusted for all perpose.

[robstradling]

The Microsoft Trusted Root Certificate Program only permits "ISRG Root X1" to be used for the Server Authentication trust purpose.

Microsoft publishes their root program metadata here: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Here's a human-readable view of the same metadata: https://github.com/robstradling/authroot.stl/blob/master/authroot.tsv

crt.sh is reporting the information correctly. I don't know what "certlm" is, but when I view the "ISRG Root X1" certificate in certmgr.exe on Win10 I see:

This certificate is intended for the following purpose(s):
- Ensures the identity of a remote computer
- All issuance policies

"All issuance policies" is talking about the Certificate Policies extension, not the Extended Key Usage extension. "Ensures the identity of a remote computer" is the Server Authentication EKU.