Just so that I understand, am I correct in saying that 60days before the 'User certificate' expires, it will auto-renew it ? and NOT the certificate authority identifier certificate (which has the thumbprint on the NDES enrollment service) - as its this cert which we use the thumbprint in teh SCEP policy that is expiring.
http://internal-CAServer/CertSrv/mscep_admin/