Regardless of where the cert store is, it came with some CA certs "in the box". Pinning applies to these CAs. Any CA's added by the end user (aka person at the keyboard, or enterprise admins, etc) bypass pinning.
For better or worse, bypassing of pinning is required in some enterprise scenarios to inspect traffic leaving the network. e.g. Is someone attaching all our customer data to a email in gmail? To know that, I need to MITM mail.google.com.
Sadly, this mechanism does get abused :(
But how would Chrome know if a root cert from Windows’ cert store was added by the user or not? They would all be located in the ”Trusted Root Certification Authorities” container.
"The" Trusted Root Certification Authorities store isn't a real thing, it's just a view onto a bunch of different stores that are actually separate, including a local machine store and per-user stores plus of course stores added by your membership of a domain or other grouping.
So Chrome gets to distinguish between certificates that Microsoft added and the ones added by Group Policy or whatever else to your system.