Windows-itpro-docs: Potentially dangerous recommendation for proxy intercept exclusion
Hi, in this document under "Common URLs for all locations" you effectively recommend we exclude *.blob.core.windows.net from TLS intercept. Although you also state "Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic" that is misleading as we know Defender ATP uses certificate pinning at the client level. Therefore TLS intercepting some (all?) of these sites may break Defender ATP connectivity to the MS cloud service. Can you please explicitly state which of these URLs rely on certificate pinning and/or remove *.blob.core.windows.net from the list and explicitly call out the blob storage URLs required like done here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus#allow-connections-to-the-windows-defender-antivirus-cloud-service
Thank you
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 83207fc9-2c91-eb07-4237-6bb1f42e3778
- Version Independent ID: 5db33cf3-2dcb-bb33-a252-3a13ca9737f9
- Content: Configure machine proxy and Internet connection settings
- Content Source: windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
- Product: w10
- Technology: windows
- GitHub Login: @mjcaparas
- Microsoft Alias: macapara
phillym
All 7 comments
@phillym - Thank you for submitting feedback.
I will get this issue over to the Win10 ITPro writing team for investigation.
Thank you for reporting and making the docs better. Much appreciated.
I made a note to request the team to update this when the work is complete.
mypil
on 16 Sep 2019
@mjcaparas - Can you please share your insights on this issue?
Thank you.
mypil
on 16 Sep 2019
Hi @phillym - reaching out engineering team. I'll try and update the topic shortly.
mjcaparas
on 16 Sep 2019
@mjcaparas - Do you have any updates on this?
Thank you.
cc: @kenwith
mypil
on 24 Sep 2019
Hi @mypil and team,
Do we have any updates on this?
Thanks!
phillym
phillym
on 17 Oct 2019
@phillym - I have already reached out to the author @mjcaparas to get some updates on the progress of this issue.
We will let you know as soon as we get some response. Thank you for your patience.
mypil
on 17 Oct 2019
The page has been updated:
- Removed *.blob.core.windows.net
- Added specific blob urls for uk, us, and eu
mjcaparas
on 21 Oct 2019
Related issues
marcnil815
·
3Comments
ruffy91
·
3Comments
arcotek-ltd
·
3Comments
thohun
·
3Comments
RAJU2529
·
3Comments