That is a feature, not a bug. The whole point to Windows GP is to allow your boss to push bogus root CAs into your work machines' store (without you knowing it, let alone preventing it) so the corp proxy can MITM sniff all of your https traffic at will. Remove that ability, and expect your local PHB to whine incessantly.
Never mind that the idiots running the IT dept have no clue how bad it is to deploy a CA that can automatically sign forged certs arbitrarily. And most employees are clueless enough to never bother checking their trust root CA list.
Unrestricted MS group policy push means all of TLS/SSL is a complete sham.
Hopefully this Superfish fiasco will bring this to light, However, I am not optimistic, given the quality of reporting on it so far, and the fact that employers do not want their employees to know exactly how much the corporate proxy has compromised the entirety of internet security.
I know the response is "well just trust your IT dept, they won't let their bogus root CA priv key fall into the wrong hands; corporate proxies are for your own good".
Right.