I used the following to set this up. I have AP-deployed, Intune-enrolled W10 devices, enrolling device/user certs from on-prem CA via SCEP and the NDES connector as part of ESP, as described in this article, using an Intune-deployed WIFI profile, connecting to Meraki wifi network, auth'ing against NPS using PEAP-TLS. https://www.jeffgilb.com/ndes-for-intune/ Only real issue for us is the lack of device-based certificate auth, simply because with AAD-joined devices there are no computer account objects in on-prem AD to add to an AD group used in an NPS condition. So yes on full-AAD joined devices we have to use User certs, so available post-logon. If you require device-based certs enabling pre-user-logon auth to the WiFi network, you will prob need to use hybrid AAD join, so you get the computer account on-prem which you can add to a group and use in NPS. Looks like a lot of work, but it isn't really. If you already have on-prem AD, on-prem enterprise CA, an Azure tenant, familiarity with AAD Applications/Enterprise Applications, it's not a big deal. Took a couple of hours. Good luck 🙂
... View more