Hi,
All the clients in the domain will get the cert installed once the device refresh the group policy.
Here are 2 methods for your reference:
1,If you don't want the specific computer apply the policy , you can filter the clients from the GPO security.
Put the computers which will apply the policy into one group named auto enroll.
Assign the group read and apply group policy permission.
Remove the apply group policy permission for the authenticated users.
2,Or if you don't want the laptops to install the specific certs ,you can remove the auto enroll permission and enroll permission for the specific laptops on the templates of the cert.
On the templates assign the "auto enroll group' enroll and auto enroll permission.
Keep the authenticated users with only read permission.
Best Regards,