How to audit NTLM authentication on Windows 11 22H2 and above now that credential guard blocks this traffic a leaves empty EVENT IDs in NTLM event log?

Question

We deployed NTLM auditing via GPO a while ago to help us collate the who, what, where and how NTLM requests are being generated within the network so we can address the sources of insecure NTLM auth and work toward the eventual goal of switching off NTLM auth in the domain and managing / allowing only an exception list for legacy apps and services until they eventually disappear however...

Some users were recently approved for Windows 11 testing so had their workstations upgraded to Windows 11 24H2.

This means credential guard is enabled by default and that means the NTLM logs on those endpoints now are useless because NTLM is blocked outright and the 4014 event IDs are empty because no NTLM is allowed to work. These 4014 events are valuable logs in addressing things like missing SPNs and or identifying users who need education like using FQDNs instead of IPs to allow kerberos auth to work.

My question is how do we get those logs to work again (switch on / switch off for testing) on the latest Windows 11 builds so we can inspect and remediate the requests?

I've tried disabling Credential Guard outright but the 4014 events remain in an error state with no information in them?

Credential Gueard status = 0

PS C:\WINDOWS\system32> (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
0

Event IDs 4014 = error / empty