Hi @LennyBendahmane-6418
If you're using domain CA, NPS, and auto-enrollment, then I'm assuming your clients are domain members. You could set the Network Policy condition to require a domain group (Domain Users/Computers or a custom "Trusted Users/Devices" AD group).
Technically, the domain member could still connect via a foreign cert from a Trusted CA, but it will protect from an outsider with a foreign cert.
Here's a guide to managing NPS certificates:
https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-certificates
---------
--If the reply is helpful, please Upvote and Accept as answer--