From 6e727d1da7225a0f9cb880325d570a46384ce63d Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Wed, 5 Oct 2022 10:14:17 -0700
Subject: [PATCH] Clarified Pro SKU Issue

Added new command to check if a Pro SKU device is in the state where it would have received automatic enablement.
---
 .../credential-guard/credential-guard-manage.md             | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 5d184f9961..0b3b7825e7 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -41,7 +41,11 @@ Windows Defender Credential Guard will be enabled by default when a PC meets the
 > If Windows Defender Credential Guard or VBS has previously been explicitly disabled, default enablement will not overwrite this setting.
 
 > [!NOTE]
-> Devices that previously had an Enterprise license and are now running Windows 11 Pro 22H2 may have Virtualization-Based Security (VBS) and LsaIso.exe automaticaly enabled if they meet the other requirements for default enablement listed above. In this scenario, if you wish to disable VBS and LsaIso.exe, follow the instructions for [disabling Virtualization-Based Security](#disabling-virtualization-based-security).
+> Devices running Windows 11 Pro 22H2 may have Virtualization-Based Security (VBS) and/or Windows Defender Credential Guard automaticaly enabled if they meet the other requirements for default enablement listed above and previously had an Enterprise license or previously ran Windows Defender Credential Guard. 
+> 
+> To confirm if your Pro device is in this state, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`.
+> 
+> In this scenario, if you wish to disable VBS and Windows Defender Credential Guard, follow the instructions for [disabling Virtualization-Based Security](#disabling-virtualization-based-security). If you wish to disable only Windows Defender Credential Guard without disabling Virtualization-Based Security, use the procedures explained in [Disable Windows Defender Credential Guard](#disable-windows-defender-credential-guard).
 
 ## Enable Windows Defender Credential Guard