From cec8832240613b746dcbce930ffca71688896515 Mon Sep 17 00:00:00 2001
From: Pierre Audonnet <piaudonn@microsoft.com>
Date: Mon, 23 Apr 2018 08:13:21 -0400
Subject: [PATCH 1/2] Typo in default SDDL for Windows 10

It seems that there an erroneous opening parenthesis in the SDDL. I just suggested to remove it.
---
 ...ccess-restrict-clients-allowed-to-make-remote-sam-calls.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index 968a0346b1..3d50fd3739 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -85,7 +85,7 @@ In other words, the hotfix in each KB article provides the necessary code and fu
 |---|---|---|---|
 |Windows Server 2016 domain controller (reading Active Directory)|“”|-|Everyone has read permissions to preserve compatibility.|
 |Earlier domain controller |-|-|No access check is performed by default.|
-|Windows 10, version 1607 non-domain controller|(O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) <br>Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) <br>DACL: <br>•	Revision: 0x02 <br>•	Size: 0x0020 <br>•	Ace Count: 0x001 <br>•	Ace[00]------------------------- <br> &nbsp;&nbsp;AceType:0x00 <br> &nbsp;&nbsp;(ACCESS\_ALLOWED_ACE_TYPE)<br> &nbsp;&nbsp;AceSize:0x0018 <br> &nbsp;&nbsp;InheritFlags:0x00 <br> &nbsp;&nbsp;Access Mask:0x00020000 <br> &nbsp;&nbsp;AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544) <br><br> &nbsp;&nbsp;SACL: Not present |Grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. |
+|Windows 10, version 1607 non-domain controller|O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) <br>Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) <br>DACL: <br>•	Revision: 0x02 <br>•	Size: 0x0020 <br>•	Ace Count: 0x001 <br>•	Ace[00]------------------------- <br> &nbsp;&nbsp;AceType:0x00 <br> &nbsp;&nbsp;(ACCESS\_ALLOWED_ACE_TYPE)<br> &nbsp;&nbsp;AceSize:0x0018 <br> &nbsp;&nbsp;InheritFlags:0x00 <br> &nbsp;&nbsp;Access Mask:0x00020000 <br> &nbsp;&nbsp;AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544) <br><br> &nbsp;&nbsp;SACL: Not present |Grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. |
 |Earlier non-domain controller |-|-|No access check is performed by default.|
 
 ## Policy management
@@ -163,4 +163,4 @@ If the policy is defined, admin tools, scripts and software that formerly enumer
 
 [SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016](https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b)
 
-<br>
\ No newline at end of file
+<br>

From 862bffc73e464ef02db744111f853fa4a07154d8 Mon Sep 17 00:00:00 2001
From: Kaushik Ainapure <kaushika@microsoft.com>
Date: Mon, 23 Apr 2018 16:58:24 +0000
Subject: [PATCH 2/2] Adding known block - msi-Http-installations are blocked
 by Device Guard

The recommended solution is to download the file locally (or an SMB share) and run it from there.
---
 ...and-deployment-planning-guidelines-for-device-guard.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
index 418d67676f..0babddc7e7 100644
--- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
+++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
@@ -149,6 +149,14 @@ We recommend that you keep the original XML file for use when you need to merge
 
 When the WDAC policy is deployed, it restricts the software that can run on a device. The XML document can be signed, helping to add additional protection against administrative users changing or removing the policy. 
 
+## msi-Http-installations are blocked by Device Guard
+When you install msi-files over a Device Guard protected machine directly from the internet, it would fail. 
+If you try to install a msi-file using this command-line:
+- msiexec –i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E-76209EA4F429/Windows10_Version_1511_ADMX.msi
+
+You need to download the MSI file and run it locally:
+- Msiexec –i c:\temp\Windows10_Version_1511_ADMX.msi 
+
 ## Related topics
 
 - [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)