Keep CG off until you get EAP-TLS going using a root CA and the server certificate on the NPS server. If PKI is not setup, you will have to ensure its functioning first issuing both client and server certs. We ended up spinning up a new hidden SSID and a new NPS server for the EAP-TLS configuration. SSID is being pushed via GPO too all Win 11 workstations via WMI filter. Works well after re-enabling credential guard. My statement earlier about running both policies on the same server was not accurate. Order of precedence with EAP 1st was not working correctly for us with NTLM on the same NPS server, we had to roll back a day after testing in production. Mixed results with Win10 workstations using the cert, some were trying to use NTLM and not connecting successfully. Both Win10 test machines connected when testing prior to rolling to production from different remote sites over S2S tunnel.
... View more