Well here goes my first reply; I just had to through this issue myself, turns out, when you install AD CA role on the server, NPS server will automagically decide I don't like the previous cert, let's use the wildcard you've just added to your CA role. Problem is, I not only don't distribute that cert yet but prefer uncerted selfsigned cert for now. Anyway, 50ish borked clients, had to manually go back into NPS role and change mschap to use my selfsigned cert, gpupdate for deployed profile to update and we're back on as expected.
... View more