It's also well within Kazakhstan's budget to do subtler, harder-to-defeat things to stop MITM circumvention. This is an arms race that Google will lose.
Other non-windows updates do allow you to install other software.
To set this up, Kazakhstan will have to set up their CA with the bit set for software signing. This bit will be visible by everyone and it'll be very telling instead of just being allowed as a root CA for ssl/https sites.
Not everything can be changed from the beautiful plains of Silicon Valley.
Not sure how this will work with certificate pinning, though. Will sites like Google become inaccessible?