@DoctorKisow Are you having two identity certificates issued by the same CA or one by root CA and other one by the Intermediate CA?

If you have a root CA and Inter.CA, then try disabling the "Trusted for Client Authentication" option under the trusted client CA.

If there's only one CA that signed both certs, then you can use EKU OID filtering option to do the trick, however, caveats are:

# Custom EKUOID has to present on the desired certificate (cert template should be modified for this)

# Pulse Desktop Client 9.1R5 and higher will not work for machine certificate, only user certs will be filtered using EKUOID value (identified as not-supported scenario, hence considered as enhancement). So, only 9.1R4 & below versions of PDC has to be used for this approach to work.

Config reference - https://docs.pulsesecure.net/WebHelp/PDC/9.1R3/Content/PDC_AdminGuide_9.1R3/Configuring_Client_Certi...

Pulse Connect Secure Certified Expert

[email protected] 

Forgive me, I only know enough about Microsoft certificate Server to be dangerous.  I am certain we only have our root CA, no other servers in that chain,  Via a GPO, we are enforcing trust of our root CA to ensure our wireless clients can get and trust the certificates on our hardware for wireless.  Since most of our laptops have both the root certificate and a certificate for wireless our machines are being prompted and sadly we are usint R7 so I believe the EKUOID value will not work.  

I am open to alternate configuration options since we can be flexible.

Currently re-engineering how this works, thanks for your assistance.