The current setting of the Default admin that can't do primary task is a big pain for test and web environments. I don't want an extra account just to change antimallware or test a website that is running on the server.

Deligation and limiting is fine but give the option to give the build-in administrator full control but not as default.

MIT Key Server:
http://pgp.mit.edu:11371/
(users public PGP database)

Eg:
Mailvelope
http://www.mailvelope.com/

MICROSOFT
Please make all your Microsoft products easy to work with PGP.
external server to external server can use DKIM for PGP keys.
and allow your products to work with legit key servers like MIT. make your own key server, if you want to, but share/sync the info back to MIT server(like PGP-DNS).
allow sharing of key servers data, like mirror/sync
allow key servers to use DKIM keys to communicate to external servers.

Thanks.

Runas works OK, but SUDO on Linux works well for allowing administrators to elevate for a one time only commands.

In order to better control access and provide insight to my management and my auditors - I'd like to be able to monitor who has access to what resources

IIS Remote management currently does not allow to authenticate with the "current user", which should be possible with Kerberos.
This leads to the problem, that we are not able to use smartcard authentication against IIS Remote management.

Office 365 implemented a DLP solution and Windows Server also implemented a DLP solution (File Classification Infrastructure) - would be great if we can control both using a single policy console

The following PowerShell command should NOT configure the Enrollment Policy Web Service, because it has the -WhatIf parameter:
Install-AdcsEnrollmentPolicyWebService -AuthenticationType Certificate -Force -SSLCertThumbprint 'f0262dcf287f3e250d1760508c4ca87946006e1e' -KeyBasedRenewal:$false -WhatIf

However, it does configure it. The same goes for Uninstall-AdcsEnrollmentPolicyWebService

This is bad practice for PowerShell cmdlets. It is also preventing us creating a DSC resource to configure this feature.

SIR BILL GATES IS OUR IDEAL PERSON.HE IS CREATED SO MANY EASY WAY FOR OUR LIFESTYLE.OTHERWISE IF HE WILL BE CREATING A DECENT MICROSOFT AC BUS FOR ALL CLASSES PEOPLE.ITS WILL BE A BEST IMPACT FOR OUR LIFE STYLE.& WE NEED TO A LOT OF THAT BUS IN INDIA.

WE ARE INDIAN&WE LOVES OUR WORLD SO MUCH.NOW,THE WORLD IS SO MUCH FAST & CLEAN.IN THIS TIME,MICROSOFT IS A GREAT WAY FOR OUR LIFESTYLE.MICROSOFT WILL BE CREATING&MAKING A LOT OF DECENT AIRPLANE FOR OUR EASIER LIFESTYLE.ITS WILL BE A BEST IMPACT FOR OUR WHOLE WORLD.THAT AIRPLANE WILL BE USING FOR PASSENGERS,CONTAIN PRODUCTS,SUPPLYING(WATER,FOOD,CLOTHES,MEDICINE,ETC)&PATIENT FOR EMERGENCY.I MEAN ITS A VARIOUS WAYS LIKE STEP 1=PASSENGER AIRPLANE,STEP 2=WATER AIRPLANE,STEP 3=PATIENT AIRPLANE,STEP 4=SUPPLYING ALL LEGAL (PRODUCTS,FOOD,MEDICINE).

NOW AT THIS TIME OUR WORLDS MANY FAMILY FACES FLOODS.THEY ARE SOMEONE RICHES BUT MANY OF THE FAMILY SO MUCH POOR.PLEASE REQUEST YOU ALL RICHEST PERSON PLEASE HELP THEM WITHIN FOOD,MEDICINE,CLOTHES,HOUSE PLEASE PLEASE PLEASE

The security log still recording users activates not added to audit setting and recording permissions not added to be audit, like if you want to audit write only the security log still audit the read & list folder contents which is i don't need to audit and this is make the audit log huge.

Now that TPM 2.0 supports EC, the Platform Crypto Provider should support it.

secedit is broken in nano server (checked both TP3 and TP4) and it simply doesn't work. I have asked about it @nano server forum as well without any response so far.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/894a3a8f-64f4-4605-b1ff-9698a53814db/issues-running-secedit-on-nano-server?forum=NanoServer

There is absolutely no way to harden a nano server once it is deployed. can it be fixed? or is there new way to work with local security policy on nano server that I am unaware of?

There is no way to either view or manage local security policy using PowerShell. It is possible to install a utility such as secedit.exe and make calls out to it, but this should be functionality that resides within native PowerShell cmdlets.
This would greatly ease server management, and in particular allow for viewing settings that would otherwise not be available to people without using a GUI tool.

Don't let Dynamic Access Control (DAC) wither on the vine from lack of enhancements! Add a library of PowerShell classifiers in FSRM. Make the installation of PDF and Office file iFilter DLLs a feature that is easy to install with Server Manager. Get more third-party DLP vendors on board. Include DAC features in Office 365, SharePoint 2016 and Exchange. Integrate DAC and RMS into a single easy-to-manage system. At a minimum, make some public confirmations that you are not going to let DAC die a slow death!