When a mutual SSL is required on IIS or some other application utilizing windows schannel, during the SSL handshake a list of certificates is sent to the client (CTL) which states which certificate CAs are trusted by the server and if at least one client certificate is chained to a CA certificate in the list then it will appear in the client certificate select form presented to the user.
To find out which certificates are trusted by the server we can use OpenSSL:
openssl.exe s_connect -connect www.example.exe:443
Will print this information and much more.
If this list of acceptable CAs is empty then any certificate will be legible for client authentication.
You can tweak the registry of the windows server to prevent sending a CTL.
Here is a detailed information on how to do this:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Value name: SendTrustedIssuerList
Value type: REG_DWORD
Value data: 0 (False)