I recorded this video on this topic (PEAP/MSCHAPv2), it explains what the problem is and why you should avoid it if whenever it is possible and think twice in case you can't avoid it.
In summary: Only deploy these legacy methods if you either don't care about security or losing user credentials, or if you have 100% control over the end-user device. As this strict client control is seldom the case, move to EAP-TLS (or PEAP with certificates) if you need a secure solution.
Unfortunately, I don't have a guide on how to set this up with NPS, but I have done this once in the past and didn't run into big issues as far as I can remember. Biggest challenge in most deployments is how to get certificates enrolled to the clients, and how to get the clients configured. In a Windows environment there are tools available with group policies and the Windows Certificate Services. For other devices like BYOD you might need to have a look at MDM solutions or ClearPass Onboard.