Your network contains an Active Directory Domain Services (AD DS) domain. All domain members have Microsoft Defender Credential Guard with UEFI lock configured.
In the domain, you deploy a server named Server1 that runs Windows Server. You disable Credential Guard on Server1.
You need to ensure that Server1 is NOT subject to Credential Guard restrictions.
What should you do next?
Click on the arrows to vote for the correct answer
A. B. C.A
Since all domain members have Microsoft Defender Credential Guard with UEFI lock configured, disabling Credential Guard on Server1 can cause it to become subject to Credential Guard restrictions again. Therefore, you need to take additional steps to ensure that Server1 is not subject to Credential Guard restrictions.
Option A: Disabling the Turn on Virtualization Based Security group policy setting will disable the Credential Guard feature on Server1. However, this will also disable other virtualization-based security features, such as Device Guard and Windows Defender Application Guard, which may not be desirable.
Option B: Running DISM with the /Disable-Feature and /FeatureName:IsolatedUserMode parameters will remove the Isolated User Mode feature, which is a prerequisite for Credential Guard. This option is a viable solution for disabling Credential Guard on Server1.
Option C: Running the Device Guard and Credential Guard hardware readiness tool will check if the device is capable of running Device Guard and Credential Guard. It does not disable or enable the feature.
Therefore, the correct answer is option B: Run dism and specify the /Disable-Feature and /FeatureName:IsolatedUserMode parameters to remove the Isolated User Mode feature, which is a prerequisite for Credential Guard, and ensure that Server1 is not subject to Credential Guard restrictions.