This caught us out too, but our IT Security team (rightly) felt that disabling key security functionality in Windows 11 wasn't an appropriate long term solution, a short term workaround for key individuals at most.

We now have certificate based authentication in place for Windows 11 users.  This is a bit of a pain as devices have to register with the certificate server and have a cert issued to them before they can connect to wireless. This means that new devices (and devices just upgraded to Windows 11) have to connect to a cabled connection first, but it's what we've got to work with.

We are rolling out Windows 11 Enterprise and are having the same issue, its not an issue with Win 11 Pro.The article below explains how to configure EAP in NPS, you can use your existing SSID when you go live.I would recommend testing beforehand. We stood up a new test SSID and used a new Radius server prior to importing the config onto our production NPS servers. Import/export will save some time when testing and rolling to production. Make sure you move the EAP policy above the CHAP policy in order of precedence, we plan to leave the older policy in place, some Windows 10 machines were having issues with EAP.  

Creating a Policy in NPS to support EAP-TLS authentication - Cisco Meraki Documentation

Credential guard is only enabled by default from W11 Education and Enterprise 22H2 (for now), YMMV getting Security teams to approve disabling CG on managed devices, even if only temporarily.

If the end user devices in your environment are fully managed by policy then it's not so bad, much more of a PITA where you don't control those endpoints and they have to go through some form of onboarding!

Hey @OCTOMG, quick question on the above workaround. Can CG be re-enabled once you manually enable NTLMv2? Or did you guys just keep CG off until you get EAP-TLS going? 

Keep CG off until you get EAP-TLS going using a root CA and the server certificate on the NPS server. If PKI is not setup, you will have to ensure its functioning first issuing both client and server certs. We ended up spinning up a new hidden SSID and a new NPS server for the EAP-TLS configuration. SSID is being pushed via GPO too all Win 11 workstations via WMI filter. Works well after re-enabling credential guard.

My statement earlier about running both policies on the same server was not accurate. Order of precedence with EAP 1st was not working correctly for us with NTLM on the same NPS server, we had to roll back a day after testing in production. Mixed results with Win10 workstations using the cert, some were trying to use NTLM and not connecting successfully. Both Win10 test machines connected when testing prior to rolling to production from different remote sites over S2S tunnel.