You might think the place to make the change would be in a certificate template but that is not the case. It looks like the default hash algorithm is stored in the registry and can be changed with certutil.
Run this directly on your CA as administrator:
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
Then restart your Certificate service:
net stop CertSvc
net start CertSvc
Freshly issues certificates should now have a SHA256 hash instead of an old depricated SHA1.