The servers are all Windows Server 2022.  Proir to applying the Cumulative Update 2025-06, it could have been a year since they were all patched because we only shutdown for maintenance once a year.  The only other significant patch that was applied was a .Net cumulative update as well. 

In the meraki dashboard in the connection log, I am seeing these messages:

Client failed 802.1X authentication to the RADIUS server.
auth_mode='wpa2-802.1x' radius_proto='ipv4' radius_ip='192.168.xxx.yyy' reason='radius_login_failure' radio='1' vap='3' channel='44' rssi='30'

In Windows Event viewer I am seeing:

Event ID 39

Kerberos-Key-Distribution-Center

The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). Such certificates should either be replaced or mapped directly to the user via explicit mapping. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more.

User: mycomputer$
Certificate Subject: @@@CN=ABC-USERPC.corp.mydomain.com
Certificate Issuer: corp-myCAServerName
Certificate Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Certificate Thumbprint: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Certificate Issuance Policies:

It could just be that I need to update my configurations on my NPS servers (DCs).  My Meraki firmware is up to date as of less than one month ago.  Is there a new article on how to configure wireless clients to use NPS + AD authentication?

After doing some more research on the issue I would like to see if the steps I have put together will resolve the issue.  It appears as though the problem is my clients are getting a Schema 1 version of a certificate (Windows 2003/XP compatible) instead of at least Schema 3 versions or higher with of a cert template.

Here is what I have setup ready to deploy  

• Copy the certificate template that I am currently using to a new template "MyComputersV4"
• Change the compatibility to Server 2016 for Cert Authority
• Change the compatibility to Server 2016/ Windows 10 for Cert Recipient
• On Crypto tab, change Provider Category from Legacy to Key Storage Provider
• Algorithm set to RSA
• Min Key Size to 2048
• Select Microsoft Key Storage Provider from the Providers list
• Set Has to SHA256
• Temporarly unchecked Auto Enroll for Domain Computers on security tab 
• Added the new "MyComputersV4" to the Certificate template list so it can be deployed later.  Left my old "MyComputers" template as is for now until I cut over.

When ready to deploy I can adjust the security to Enable the Enroll and Auto Enroll settings on the new template and disable them on the old tempates.  After force a script down to the computers to run:

gpupdate /force

certutil -pulse

I think this should get the clients up to date, but I should I also be doing something similar for the Domain Controller template?  I see that this is still Schema version 1.  Do the DCs templates need to be updated?