Add Windows nodes limitations (#98)

datacenter/ucp/2.2/guides/admin/configure/join-windows-worker-nodes.md

@@ -154,9 +154,11 @@ PS> netsh advfirewall firewall add rule name="docker_proxy" dir=in action=allow
 1.  Create the directory `C:\ProgramData\docker\daemoncerts`.
 2.  In a PowerShell terminal running as Administrator, run the following command
     to generate certificates.
+
     ```ps
     PS> docker run --rm -v C:\ProgramData\docker\daemoncerts:C:\certs dockerorcadev/ucp-agent-win:2.2.0-5213679 generate-certs
     ```
+
 3.  To set up certificates, run the following commands to stop and unregister the
     `dockerd` service, register the service with the certificates, and restart the service.
 
@@ -175,3 +177,26 @@ The `dockerd` service and the Windows environment are now configured to join a U
 ```
 Node WIN-NOOQV2PJGTE is a Windows node that cannot connect to its local Docker daemon.
 ```
+
+## Windows nodes limitations
+
+Some features are not yet supported on Windows nodes:
+
+* Networking
+  * The swarm mode routing mesh can't be used on Windows nodes. You can can expose
+  a port for your service in the host where it is running, and use the HTTP
+  routing mesh to make your service accessible using a domain name.
+  * Encrypted networks are not supported. If you've upgraded from a previous
+  version, you'll also need to recreate the `ucp-hrm` network to make it
+  unencrypted.
+* Secrets
+  * When using secrets with Windows services, Windows stores temporary secret
+  files on disk. You can use BitLocker on the volume containing the Docker
+  root directory to encrypt the secret data at rest.
+  * When creating a service which uses Windows containers, the options to
+  specify UID, GID, and mode are not supported for secrets. Secrets are
+  currently only accessible by administrators and and users with system access
+  within the container.
+* Mounts
+  * On Windows, Docker can't listen on a Unix socket. Use TCP or a named pipe
+  instead.