[xnyan]

I’m trying to understand your threat model. Microsoft software is allowed to access the network and communicate with peers on the internet, with the exception of its source of security updates?

Struggling to see anything but more risk with no benefit with this security posture.

[sandworm101]

Much more simple. MS = evil so every domain name associated with it is blocked. I do not use MS software, have no need to update it, and certainly do not need to submit any telemetry info to them. So it is a non-issue until a guest wants to update their laptop using my wifi.

[xnyan]

I've done a bit of work with Microsoft and our enterprise firewall. I will bet you any amount you want that you have not blocked all of Microsoft's telemetry endpoints. They are still getting it. The only thing that's happening is introduction of more risk into your network by blocking people from patching known vulnerabilities