MDE to MCAS hell

%3CLINGO-SUB%20id%3D%22lingo-sub-2398595%22%20slang%3D%22en-US%22%3EMDE%20to%20MCAS%20hell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2398595%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20E5licenses.%20MDE%20connected%20to%20MCAS%20all%20worked%20fine%20until%20April%2018th%20since%20then%20MCAs%20no%20longer%20receives%20info%20from%20the%20MDE%20connector.%20nothing%20changed%2C%20all%20settings%20are%20correct.%20Anyone%20knows%20what%20to%20do%20as%20support%20is%20HELL%2C%209%20days%20of%20screenshotting%20over%20and%20over%20the%20same%20thing.%20(screenshots%20i%20actually%20even%20added%26nbsp%3B%20during%20ticket%20creation.%20Looping%20around%20and%20around%20and%20around%20b%20ut%20nobody%20fixes%20that%20connector.%20Anyone%20knows%20what%20i%20can%20do%20myself%20because%20support%20is%20leading%20to%20totally%20nothing.%3C%2FP%3E%3CP%3EHelp...%3A)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2398781%22%20slang%3D%22en-US%22%3ERe%3A%20MDE%20to%20MCAS%20hell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2398781%22%20slang%3D%22en-US%22%3EPlease%20confirm%20the%20following%3A%3CBR%20%2F%3E1.%20Microsoft%20Defender%20for%20Endpoint%20is%20the%20primary%20(not%20passive)%20AV%3CBR%20%2F%3E2.%20Licenses%20have%20not%20expired%2C%20and%20a%20MCAS%2C%20EMS%20E5%2C%20or%20M365%20E5%20or%20equiv%20license%20is%20assigned%20to%20users.%3CBR%20%2F%3E3.%20No%20changes%20on%20your%20firewall%20that%20are%20blocking%20outbound%20internet%20connection%20from%20Defender%20for%20Endpoint%20to%20Internet%3CBR%20%2F%3E4.%20No%20changes%20to%20your%20MDE%20Advanced%20Options%20settings%3F%20Please%20confirm%20MDE%20%26gt%3B%20Settings%20%26gt%3B%20Advanced%20%26gt%3B%20MCAS%20checkbox%20is%20still%20set%20(make%20sure%20no%20one%20turned%20it%20off)%3CBR%20%2F%3EMCAS%3F%20In%20MCAS%20Settings%20%26gt%3B%20Defender%20%26gt%3B%20Enforce%20App%20Access%20checkbox%20is%20checked%3F%20(make%20sure%20no%20one%20turned%20it%20off)%3CBR%20%2F%3E5.%20Confirmation%20that%20the%20problem%20you%20are%20having%20is%20that%20MCAS%20Discovery%20%26gt%3B%20Cloud%20Discovery%20Dashboard%20is%20no%20longer%20showing%20Windows%2010%20discovery%20activity%3F%20If%20not%2C%20please%20explain%20the%20exact%20issue%20that%20leads%20you%20to%20believe%20that%20the%20connector%20is%20not%20working.%3CBR%20%2F%3EAlso%20make%20sure%20your%20Windows%2010%20versions%20have%20appropriate%20hotfixes%20installed.%3CBR%20%2F%3EFor%201709%20you%20need%20KB4493441%3CBR%20%2F%3EFor%201803%20you%20need%20KB4493464%3CBR%20%2F%3EFor%201809%20you%20need%20KB4489899%3CBR%20%2F%3EOr%20later%20Windows%2010%20versions%2C%20no%20additional%20KB%20required.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2399020%22%20slang%3D%22en-US%22%3ERe%3A%20MDE%20to%20MCAS%20hell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2399020%22%20slang%3D%22en-US%22%3EHi%20Joe%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ethanks%20for%20your%20rpely%20let%20me%20answer%20you%3CBR%20%2F%3E%3CBR%20%2F%3E1.%20Yes%20(the%20only%20one)%3CBR%20%2F%3E2.%20No%20license%20is%20expired%20at%20all%20(double%20checked%2C%20i%20am%20the%20global%20admin)%3CBR%20%2F%3E3.%20Firewall%20for%20testing%20purposes%20in%20separate%20lab%20direct%20connection%20wide%20open%20(all%20traffic%20arrives%20in%20MDE%20portal!)%3CBR%20%2F%3E4.%20No%20changes%20done%20-%20MDE%20MCAS%20is%20on%20-%20in%20MCAS%20all%20ok%20too%20connector%20status%20%3A%20no%20info%20received%20from%20MDE%20since%20april%2018th%3CBR%20%2F%3E5.%20No%20activity%20as%20reported%20in%20status%20MDE%20TO%20MCAS%20Connector%20%2C%20while%20in%20MDE%20when%20you%20perform%20a%20query%20to%20confirm%20the%20workstations%20send%20info%20there%20is%20all%20traffic%20reported%20so%20MDE%20connector%20to%20MCAS%20is%20failing)%3CBR%20%2F%3EWindows%20versions%20confirmed%20ok.%20(1809%2BKB%20and%20one%20latest%20windows)%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
New Contributor

hi all,

 

We have E5licenses. MDE connected to MCAS all worked fine until April 18th since then MCAs no longer receives info from the MDE connector. nothing changed, all settings are correct. Anyone knows what to do as support is HELL, 9 days of screenshotting over and over the same thing. (screenshots i actually even added  during ticket creation. Looping around and around and around b ut nobody fixes that connector. Anyone knows what i can do myself because support is leading to totally nothing.

Help...:)

4 Replies
Please confirm the following:
1. Microsoft Defender for Endpoint is the primary (not passive) AV
2. Licenses have not expired, and a MCAS, EMS E5, or M365 E5 or equiv license is assigned to users.
3. No changes on your firewall that are blocking outbound internet connection from Defender for Endpoint to Internet
4. No changes to your MDE Advanced Options settings? Please confirm MDE > Settings > Advanced > MCAS checkbox is still set (make sure no one turned it off)
MCAS? In MCAS Settings > Defender > Enforce App Access checkbox is checked? (make sure no one turned it off)
5. Confirmation that the problem you are having is that MCAS Discovery > Cloud Discovery Dashboard is no longer showing Windows 10 discovery activity? If not, please explain the exact issue that leads you to believe that the connector is not working.
Also make sure your Windows 10 versions have appropriate hotfixes installed.
For 1709 you need KB4493441
For 1803 you need KB4493464
For 1809 you need KB4489899
Or later Windows 10 versions, no additional KB required.
Hi Joe,

thanks for your rpely let me answer you

1. Yes (the only one)
2. No license is expired at all (double checked, i am the global admin)
3. Firewall for testing purposes in separate lab direct connection wide open (all traffic arrives in MDE portal!)
4. No changes done - MDE MCAS is on - in MCAS all ok too connector status : no info received from MDE since april 18th
5. No activity as reported in status MDE TO MCAS Connector , while in MDE when you perform a query to confirm the workstations send info there is all traffic reported so MDE connector to MCAS is failing)
Windows versions confirmed ok. (1809+KB and one latest windows)


I don't understand what you mean by "while in MDE when you perform a query to confirm the workstations send info there is all traffic reported so MDE connector to MCAS is failing)"
Can you upload a screen shot of the area where you are not seeing what you expect?
Joe,
thank you for the assistance, the issue has been resolved.