Hey all, looking for a bit of assistance with a problem that's popped up on our network in the past few months.  We cannot nail down exactly when this started, but we have some issues specific to EAP-TLS x.509 user smartcard authentication, and machine certificate authentication that we're trying to solve.

The scenario:
Machine Authentication (Workstation Certificate) – Works fine.  When systems restart, or no user is logged into the system, authentication works as intended.  Client certificate is sent by the NAM supplicant, ISE receives, auth happens, everyone is happy.
Machine / User Authentication (Workstation Certificate/X.509 Smartcard) – Works fine, when a user logs into a system with their smartcard, we see EAP chaining work as intended (both user/machine authentication in a single RADIUS session).
Machine Fallback – (User Logged in, x.509 cert removed from the system) – No longer working.  We cannot figure out whether it’s a Windows 11 “Feature” that may have been implemented in one of the latest WIN11 upgrades (Credguard/Devguard?).  If a user pulls their smartcard out of the system, so the users certificate is no longer available, and an 802.1x reauthentication is triggered, the workstation certificate is never presented in the authentication session.  This is something that was previously working, so we are just trying to identify whether it’s a Windows issue or a new NAM bug.  

I’ve tried implementing TEAP, bypassing Secure Client/NAM altogether and the results were the same.  This leads me to believe it’s a windows “feature” regarding credential stores, or protections that Microsoft has implemented in security rollups/revision upgrades.

At this point I’m just wondering what the purpose of the machine fallback is in ISE (user failed/machine succeeded), unless in legacy implementations (PEAP/MSCHAPv2), this is still applicable.

Anyways, thanks for any assistance that you're able to provide!