@GossiTheDog Now I'm starting to think that MSTIC etc probably maintains a list of of devices where telemetry is blocked/disabled, to improve the signal/noise ratio for identifying devices which threat actors might be using. Presumably it would eliminate 99.9% of the uninteresting endpoints.