We secure a critical extranet application with client certificates. Users are always prompted to select their certificate even though most users have only that one certificate. Can I configure Windows to automatically select the certificate if there's only one?

Yes, but the setting is a Microsoft Internet Explorer (IE) setting rather than a Windows setting. Open IE and select Tools, Internet Options. Select the Security tab and select the zone in which your Web application resides. For external users, that will be the Internet zone unless they've added your site to the "Trusted sites" zone. For users on the internal network, select the Local intranet zone. Click Custom level and under Miscellaneous, enable the Don't prompt for client certificate selection when no certificates or only one certificate exists policy. IE will now skip the dialog requesting the user to select the client certificate unless more than one certificate exists for the user to choose from.