The following image is an overview of the deployed solution.
When I setup the subordinate certificate authority, I issued a certificate to the subordinate from the root certificate authority to validate its identity and authorise it to issue certificates on behalf of the root. Only after I issued this certificate, I found out the default issuing time for certificates on stand alone certificate authorities in Windows Server 2012 R2 is only 1 year. This period of time is far to small for a certificate that is assigned to another certificate authority.
As a result we increased the time that the root certificate authority issues certificates for which was performed with the following command:
certutil -setreg ca\ValidityPeriodUnits "10"
This changed it from 1 year to 10 years.
We then issued a new certificate from the root authority to the subordinate certificate authority for the 10 year period.
After issuing a new certificate to the subordinate certificate authority I realised the subordinate certificate authority is pushing out the new 10 year certificate to the intermediate certificate store on workstations as well as the old 1 year certificate. This is shown in the following screenshot below on a domain member machine. The two certificates highlighted were old certificates which use to be assigned to the enterprise subordinate certificate authority. There are two because we issued two (we forgot to restart the certificate authority service on the root CA after running the certutil command above to extend the validity period so we had to repeat the process).
I don't want the Active Directory certificate authority pushing out these invalid certificates to all domain joined devices.
How to Remove Certificates from Active Directory Deployment
To remove certificates from Active Directory deployment, you must open an application called pkiview.msc on an Enterprise Certificate Authority.
A big thankyou to River Mei from Microsoft who assisted me with this issue.