Hello!
The theory:
By enabling Windows Defender Credential Guard, the following features and solutions are provided:
Hardware security NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
Virtualization-based security Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
Better protection against advanced persistent threats When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked.
The practice (after enabling CG):
1) The domain user account does not display neither NTLM hash (it displays the encrypted content) nor Kerberos password:

2) The domain computer account does display its NTLM hash but the Kerberos password field is not empty as for the user account but instead contains the encrypted password:
As far as I see the documentation above says nothing about differences between user and computer accounts so
Q1: Why does the computer account still have its NTLM hash visible?
Q2: Is this difference in displaying NTLM and Kerberos hashes/passwords by design for CG?
Thank you in advance,
Michael