When you deploy new machines with Windows 10 1607 and want to enable Credential Guards one of the things will want to do is prepare Hyper-V and Isolated User Mode so it is preinstalled so the end users do not get affected during enablement.
First off lets talk about Isolated User Mode, this was previously a stand alone feature that was required but starting with v1607 this has been included into the Hyper-V role. This means that there is one less feature for you to enable and keep track of.
Next we need to enable Hyper-V and the only features you need are the Hyper-V services and Hyper-V platform. This can be achieved using the Install Roles and Features step in MDT. In your sequence before the Windows Update step add a group and add the steps as show below.
Start with a Install Roles and Features step and then add a Restart Computer step and finish with Run Command Line step. Configure the Install Roles and Feature step as follow, check Hyper-V Platform, Hyper-V Hypervisor and Hyper-V Services.
For the Run Command Line step add the following information:
Dism /online /disable-feature /featurename:Microsoft-Hyper-V-Tools-All /Norestart
This will ensure that when the computer is finished deploying it will have the necessary roles and features for credential guard but end users won’t see the management tools.