KB44062 - Dynamic Trust: "Why is machine auth failing?" "Will the Pulse Client prompt me to trust the server certificate?"

Customer is using PPS and doing pure 802.1x layer 2 authentications and they also have dynamic-trust set to "true" on the Pulse Client and the client ultimately failed authentication.
 

Customer recently changed the server certificate and issuer and that new issuer certificate was not in the trusted server list of the preconfiguration file and ultimately client failed to perform the validation. 
Customer is wanting to know if this is normal because they believe, that due to dynamic trust, the new server should be ignored or it should have been a pop up asking them if they want to trust the new server.
 

The solution here is to include all of the new issuing certificate information in the preconfiguration Pulse client installer file, so that it has all the certificate information necessary to validate the server, because you cannot rely upon dynamic-trust to fix this for you with a prompt.