MSCA Certificates can be set to expire on a certain interval, after hitting the XMS renewal policy (default 30 days before expiration). User Certificates (PKI) are not renewing, leaving expired certificates on devices.

After changing the Deployment Condition to "On every connection" allowed the Certificate Renewal logic within XMS to evaluate the need to deploy the cert on every connection. Renewing the expired certificates.

---

Problem Cause

The Deployment Condition: "Only when previous deployment has failed" was preventing these DeliveryGroups from being deployed again.
Since the certificates will continue to be considered "installed".


This setting should never be used for Certificate policies.