dotnet · carlossanlop · Apr 29, 2020 · Nov 5, 2019 · Mar 24, 2020 · Mar 25, 2020
diff --git a/xml/System.Security.AccessControl/ObjectSecurity.xml b/xml/System.Security.AccessControl/ObjectSecurity.xml
@@ -1306,7 +1306,16 @@
         <param name="preserveInheritance">
           <see langword="true" /> to preserve inherited access rules; <see langword="false" /> to remove inherited access rules. This parameter is ignored if <paramref name="isProtected" /> is <see langword="false" />.</param>
         <summary>Sets or removes protection of the access rules associated with this <see cref="T:System.Security.AccessControl.ObjectSecurity" /> object. Protected access rules cannot be modified by parent objects through inheritance.</summary>
-        <remarks>To be added.</remarks>
+        <remarks>
+          <format type="text/markdown"><![CDATA[  
+
+## Remarks
+When you call the method with `isProtected=true` and `preserveInheritance=true`, you need to walk the new ACL of the object and check for DENY type ACEs.
+For a canonically sorted DACL, the DENY ACEs must appear in the front of the DACL.
+For more information on the canonical ordering of ACLs, see [Order of ACEs in a DACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/order-of-aces-in-a-dacl).
+
+        ]]></format>
+      </remarks>
         <exception cref="T:System.InvalidOperationException">This method attempts to remove inherited rules from a non-canonical Discretionary Access Control List (DACL).</exception>
       </Docs>
     </Member>