My lab test NPS windows 2016 and Certificate with Cisco 2504 Firmware 220.127.116.11 configuration Radius everything work. but Client non-domain windows 8/10 and some mobile can login my SSID(802.1x) without Certificate.
That is because you are probably allowing PEAP protocol in NPS. In order to authenticate using a computer certificate, you need to specify EAP-TLS. You can search “Radius NPS EAP-TLS” and find various links on what you need to do.