Starting Windows 10 1607 the pre-installation of Hyper-V Hypervisor for Credential Guard is no longer necessary (s. Protect derived domain credentials with Credential Guard).
After activating Credential Guard via GPO or registry the process lsaIso.exe is running.
Msinfo32 is showing Credential Guard activated and a hypervisor is detected.
But Windows Features shows Hyper-V Hypervisor not activated.
So where is the security coming from?
It is the Hyper-V Hypervisor.
Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V*"
still shows Hyper-V disabled,
Get-Service -Name "HV*"
shows the “HV Host” service is running.
It also solves an issue in Hyper-V modularization. If only Hyper-V Hypervisor is installed via GUI or PowerShell, 5 devices will show up in device manager w/o drivers: