So apparently members of the Protected Users group can't edit Wired 802.1x group policy. Wireless 802.1x? Sure. Every other group policy setting? Yup. Wired 802.1x? Can't load the snapin.
Got to love the consistency there, Microsoft.
— Adam 'Election Fever' Beardwood (@the_spad) February 12, 2018
If you’re using certificate-based authentication for your wired or wireless network and have the Lync 2013 client installed then you may find that your users start getting prompted to select a certificate when connecting to the network for the first time. This is because the Lync client issues users certificates with blank Subject fields and Windows can’t work out which certificate to use.
There’s a hotfix available from Microsoft here: http://support.microsoft.com/kb/2710995/en-us but unfortunately it’s not available via WSUS so you’ll have to push it to your clients “manually”. Personally I would have thought that certificate-based wireless authentication in environments running Lync were relatively common, enough to justify a proper patch, but apparently not.