Hello there,
Is this the first time you are deploying this GPO to your environment or have you tested it before?
If you look at the certificate template, you'll see a setting named Renewal Period. When the certificate enters that period (subtract the Renewal Period value from the expiry date of the certificate to determine when that period begins) clients will begin requesting renewals.
You need to properly set up the certificate for autoenrollment and the GPO
See https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759371(v=ws.10)?redirectedfrom=MSDN for details
In the PKI environment, it is not supported to renew the root ca certificates automatically. https://social.technet.microsoft.com/Forums/lync/en-US/196a6229-c118-49e7-b073-df79e71ce5b1/auto-renew-an-enterprise-ca-root-certificate?forum=winserversecurity
If you mean the certificates issued by CA for the clients and users, yes,it can be set not to renew automatically. The certificates by the ca issued will not auto-enroll by default if the requirements didn't been met:
auto-enroll group policy
auto-enroll permission for the templates
https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment
---------------------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer–