Why you should not enable Credential Guard on Domain Controllers?

Credential guard protects the credential derivatives like NTLM hash and Kerberos tickets; this TechNet article has a very detailed explanation as well as deployment guidelines. There was a recent change in this article to call out the following: Warning Enabling Credential Guard on domain controllers is not supported. The domain controller hosts authentication services which…