Users complained they were unable to log in VMware Horizon Client portal and the logon stuck at "Authenticating...." screen.
In AuthZ ? AuthZAdminCh event log category, the Errorcode of "CLIENT_CERT_INSTALL_ERROR" indicated the certificate issue so I suspected the certificate has expired.
Indeed the certificate has expired yesterday....
So I reran the .\AzureMfaNpsExtnConfigSetup.ps1 script in C:\Program Files\Microsoft\AzureMfa\Config on NPS server. It generated a new certificate with another 2 years of period.
Once the certificate is in place, the 2FA login is happy now.