WPA2-Entreprise: which certificate to avoid changing Validate server certificate for Windows guest ?

[Olivier]

Hello,

I'm running a WPA2 Enterprise Wifi network powered by Freeradius 3.0.12 on
Debian Stretch.

Currently, Windows guests need to follow a rather long and error prone
process like the one described in  [1].
The core of this process, is, if I'm not mistaken, to change a default
value in Protected EAP Properties configuration window.
This default value that needs to changed is the "Validate server
certificate" one: its default value is checked (see point 9 in referenced
doc).

My understanding of this default value is that, "by default, Windows will
validate Server Certicate using a list of Trusted Root Certificate
Authorities and if no Server Certificate is received then connection is
refused with a somehow misleading "Incorrect password" error message"..

My questions are:
1- In this context, is correct to say the Server Certicate Windwos is
refering to, is a file somewhere in /etc/freeradius directory ? If
positive, how does it look like ? A .pem file ? A .der file ?

2- Is it correct to hope that  "if WiFi guests are somehow given such a
Server Certificate file before trying to connect, they won't need to change
Protected EAP Properties" ?

Best regards

[1]
https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_WPA2-Enterprise_in_Windows_Vista_and_Windows_7