What causes automatic install of trusted root certificate authorities into local machine's certificate store?

I spend whole day by diagnosing issue with my test services using mutual HTTPS. Services are hosted in IIS 7 on a test server running Windows Server 2008 Enterprise edition.

Suddenly few weeks ago all test services stopped working and any request to these services ended with 403.7 "Client certificate required" issue. After a lot of searching I found this article describing similar issue with Windows Server 2003.

In short the issue is caused by too many trusted root CAs installed in local machine certificate store. Server during mutual HTTPS handshake sends "list" of trusted CAs to client and client can select certificate based on this list (unless the site in IIS is configured with CTL but that is for a different question). The problem is that list can have only 16KB so if there is more CAs, they are simply not send to the client. If the used client certificate is issued by one of such truncated CAs it is not send to the server.

After that I checked local machine's trusted root certificate store and I found that there is more than 200 trusted root CAs installed. What is even worse: we didn't install them! I somewhere found a bit of information (sorry can't find it again) that these CAs are installed automatically through Windows Update.

The question: How to turn off installing CA certificates to our computer without turning off windows update?