Windows 10: NPS with SSL Certificates failing to authenticate after CA move

For years we have been using Windows NPS with Cisco Switch radius to authenticate Ethernet NIC with Workstations using Certificates issued by WIN Root CARecently we moved the Root CA from Win 2012 to Win 2019, the rest of the components didnt change.I am able to get the new certificates from the CA, but my NIC authentication now fails.The changes we made is update the Root CA hash to use SHA256 instead of the SHA1I uploaded the new root cert to GPO which got pushed to all the workstations.I also updated the GPO for the Wired profile to include the new Root CA.I can confirm the workstation side

:)

 

6680 CA certificates

The CA certificate for SSL connections that I use is untrusted by the phone. How do I add the CA to the list of existing trusted certificates?

 

Web Client Authentication via SSL Certificate

Nope, that did not work.

I even tried removing the CA certificate and just leaving the client certificate. It still fails on the user authentication.

I'm going to try going thru the CA-Int-Client route... last ditch effort now.

If this doesn't work then Win Mobile is useless to me...

 

certificate authentication prompt to a Microsoft NPS Server

one of my clients face this:

A couple of our Windows 10 PC's have started to show a prompt to join our secure wireless asking which certificate to present as authentication.

We have secure wireless network set up using WPA2-enterprise using certificate authentication to a Microsoft NPS Server. We have User certificates set up to automatically enroll on domain PCs. Normally the only certificate in the user store is the user's automatically-created
domain certificate, but on one of the affected PC's, I see a certificate issued from MS-ORGANIZATION-ACCESS.

Can you tell me how that certificate got there and how I can prevent Windows 10 from prompting the user for a certificate when joining a wireless network?