This setting and two others impossible to remove live under:
Computer Configuration / Policies / Windows Settings / Security Settings / Public Key Policies/Trusted Root Certification Authorities
Policy.............................................................................................................................................. Setting
Allow users to select new root certification authorities (CAs) to trust........................................................ Enabled
Client computers can trust the following certificate stores....................................................................... Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria.... Registered in Active Directory only
We are on Windows Server 2008 R2