i came across an interesting incident. We deployed the "Defender for Endpoint" v6 baseline from Microsoft to our clients.
Everything was working well - for 3 days until a colleague of mine tried to start his workshop with the customer.
Connecting, VOIP, PowerPoint Sharing everything worked - but there was a need to show the desktop. Which was saying "connecting" for ~5-10 seconds and then stopped.
Also the other way "watching" was not working - worked for 10-15 seconds though and then stopped.
Took my about 2 1/2 days to find the baseline responsible. As there was no entry in no log that something gets blocked.
Not in the timeline and not in the event log. Just trial and error.
The problem was the "network protection" that was set to block. After set to audit - it worked again. Today i was doing the recap - trying to figure out how to set it to block again - but still no entries.
What can i do? (No support case please - just don't have the time for 2 weeks 1st level until i get to second)