We had a major problem that was a real head scratcher today. Due to Microsoft's acceleration of deprecating SHA1 hashed certificates, we updated the certificate templates on our domain CA and renewed our master certificate so that it would have a SHA256 hash.
We use NPS (network policy server) to supply Radius based authentication for wireless clients (EAP-TLS and computer certificates). Almost immediately after making the change, all of our wireless clients dropped and would not reconnect. After several hours of head-scratching and googling, we managed to figure out that even though the new root certificate was being pushed to the NPS servers (it showed up in the certificates MMC), windows was not using it for authentication. The fix is to run "certutil -enterprise -addstore NTAuth CertFile.cer" (where CertFile.cer is an export file of the new root certificate). You also need to restart the NPS service.
