Maybe I wasn't clear enough but we have user/pass already working with our External SSO IDPs. I already have NPS and the CA configured and done and it works in a test network on the SSID I'm using. The problem is the selection of encryption methods with a Certificate based authentication is set to "OPEN" which I do not want. 

You need to create a group policy to configure the WiFi settings on the machines.  You can use either EAP-TLS, or PEAP+EAP-TLS.

Then in NPS you need to configure it to accept the same authentication method.

Correct which I have. My issue is related to Meraki though and the configuration of the SSID access. So to get it to work I had to pick the radio button currently selected:

This will not encrypt any connections which is the problem here.

And that is where you select "Enterprise with (dropdown) My Radius server" - Setup your NPS in the radius server fields , setup your rules in NPS to use EAP-TLS , and have your CA issue certificates to your devices (typically done via a GPO and CertTemplate).

We do this a lot of places, with both Meraki and Cisco Classic. Using NPS or Cisco ISE as "your" radius server. It is the most secure you cant get if you remember to setup the client correctly also 🙂

Thank you I will test with those settings in Meraki. Just in the first few tests I do notice that the logs containing the Success and deny logs show the Computer/user as anonymous. Seeing is how the Policy is looking for a Machine cert that makes somewhat sense but I don't suppose there is a way to audit the user as well in the logs? 

You need to use something like TEAP with EAP chaining which modern Windows 10 does support, but Microsoft NPS does not.  EAP chaining allows you to authenticate both the user and computer together.