Technically there is no such thing as user autoenrollment. But there are hoops you can jump through to get something very similar. In most cases though, I find that you can get away without user certificates altogether. See if this works:
On your NPS server, take your network policy and remove the users security group. That policy will *only* apply to workstations.
Create another policy that is a duplicate of the one above, but add *only* the user security group. In the PEAP authentication section, remove smart cards and add MS-CHAP v2. That will allow password authentication for users.
finally, on the clients, in the PEAP advanced settings, allow both certificates and MS-CHAP v2. Since NPS won't allow MS-CHAPv2 for computer accounts (because of the network policy above) and NPS won't allow certificate authentication for user accounts (because of the new policy we created) you get the net effect of the two authenticaton schemes being mutually exclusive, even though they are both selected on the client.
If everything is working smoothly, that should give you the desired effect without requiring nasty certificate management scenarios.