If they're domain members and certificate autoenroll is used, it should happen automatically for Windows supplicants via GPUPDATE. For non-windows devices, and non-domain machines, expect them to be prompted....
If your supplicant trusts the CA and a specific server name or names as long as they don't change, the expiration dates should be transparent.