The NPS server will need to be authorised in AD from NPS console.
If you don’t have a valid chain of trust you will hit issues, and if you don’t have autoenrollment you’ll need to remember to manually renew the NPS server certificate around the end of the validity period.
Currently they are using group policy to manage Windows 10 rather than Intune although this is coming in the near future.
They wanted to use PEAP with Certificates (EAP-TLS) which requires the presence of a computer certificate and a user certificate on the Windows 10 device and they wanted the Windows 10 devices to be able to authenticate to the Wi-Fi before user logon, so that various domain based scripts and processes were able to run before the user logged in. The customer had Windows 10 devices and wished to have machines automatically connect to the new Wi-Fi network when in the office, only allowed on if they have the appropriate certificates present. Their wireless access points were Cisco Meraki devices, and the network team had created a new SSID with the relevant configuration on the network side. They had a new internal Public Key Infrastructure (PKI) capable of issuing required certificates and built a new Network Policy (NPS) server. Recently we had a customer who wanted to pilot the use of certificate-based authentication for their wireless network.