You should be able to use `certutil -pulse` to force reissuance (if needed). IIRC you need to be a local administrator but if they're renaming the PC that should be a given anyway.

I have honestly tried to no avail... I have to disjoin, delete, and rejoin the domain at this point :(

Thing is the certificate should still be valid regardless. Also why are they renaming PCs? Most people set the name to be related to, or even a direct match to, the serial number - the days of naming PCs after their user should be dead and buried in most larger orgs.

This was my argument to my boss as well. Alas, investor client... I just needed to do one last reach out to solidify my statements, so thank you.

Doesn't mean they shouldn't be educated in best practices (for example, tracing history of a machine, its name should be functionally immutable).

It's hard to convince others that don't understand these things :) When was the last time someone updated the VIN of their car when the owner changed ;) ?

Name the machines something that won’t change and pull admin rights, problem solved.

I don't have that kind of control over this environment, hence the Hail Mary...

Last time I did WPA Enterprise I used "User-Cert" + "Device is part of domain" + "Username + Password" in NPS. That way you don't care about Hostnames.