Hi, has anyone resolved issues with network protection?

I have two problems going on - firstly a load of machines (most) in a customer tenant which are acting like network protection is disabled.

I have validated they can reach the smartscreen URLs with invoke-webrequest, I have checked the defender policy running on the machine with get-mppreference and all is in order.

Nothing shows in the event log to suggest it is trying to work or that it is having a problem.

Smartscreen in edge works fine on these systems but chrome and other browsers just sail on through.

secondly, the security baseline is causing a conflict with defender AV endpoint security policy where both enable network protection - resulting in network protection again acting like its disabled on the endpoint although the local machine returns enablenetworkprotection 1

if i had hair left i'd be tearing it out