@ -178,7 +178,7 @@ If an IT organization has not disabled this policy, users within the organizatio
Windows 10, version 1803, and later can provide users with a notification during their logon. If the IT organization has not disabled the Group Policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in change notifications** or the MDM policy **ConfigureTelemetryOptInChangeNotification**, Windows diagnostic data notifications can appear at logon so that the users of a device are aware of the data collection.
This notification can also be shown when the diagnostic level for the device was changed. For instance, if the telemetry level on the device is set to “Basic” and the IT organization changes it to “Full”, users will be notified on their next logon.
This notification can also be shown when the diagnostic level for the device was changed. For instance, if the diagnostic level on the device is set to “Basic” and the IT organization changes it to “Full”, users will be notified on their next logon.
@ -24,13 +24,13 @@ Some Windows components, app, and related services transfer data to Microsoft ne
- Connecting to the cloud to store and access backups.
- Using your location to show a weather forecast.
This article lists different endpoints that are available on a clean installation of Windows 10 Enterprise, version 1709 and later.
This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it.
We used the following methodology to derive these network endpoints:
1. Set up the latest version of Windows 10 Enterprise test virtual machine using the default settings.
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
@ -39,6 +39,8 @@ We used the following methodology to derive these network endpoints:
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
## Windows 10 Enterprise connection endpoints
## Apps
The following endpoint is used to download updates to the Weather app Live Tile.
# Planning and getting started on the Windows Defender Application Control deployment process
@ -60,5 +60,25 @@ This topic provides a roadmap for planning and getting started on the Windows De
8. Enable desired virtualization-based security (VBS) features. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by Windows Defender Application Control.
> [!WARNING]
> Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
## Known issues
This section covers known issues with WDAC and Device Guard. Virtualization-based protection of code integrity may be incompatible with some devices and applications, which might cause unexpected failures, data loss, or a blue screen error (also called a stop error).
Test this configuration in your lab before enabling it in production.
### MSI Installations are blocked by WDAC
Installing .msi files directly from the internet to a computer protected by WDAC will fail.
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
huypub
GitHub