Hi Steve,

Thanks for submitting this to microsoft directly.  It's a bit difficult to traverse the feedback hub for this type of problem.  Hopefully you can update this thread if/when you hear something back from MS. 

Thanks. 

Okay so we have a new platform update version 4.14.17613.18039-0. I've had connections blocked with this platform on 1709 but no notification, on 1803 I've had both blocked connections and notification.

That is interesting.  I'm running 1709 on all of my computers, and I'm now seeing the same thing.  The test site is properly blocked, but I don't receive a notification.  I also do not see a corresponding log entry for the event.  According to this documentation I should see log entries for the Network Protection events in the Windows Defender -> Operational log, however nothing is being logged their after the test site is blocked. 

I guess I will just wait until 1803 is ready for broad distribution.   

We've had another platform version released (4.14.17639.18041-0) but the results are the same in 1709 as the last release so blocks but no notifications still. On the upside 1803 Enterprise appears to be a well polished version of 1709, my only problem so far is event logs that are set to archive when full actually stop logging which is a problem that was fixed in 1709 a few months back other than that all is well so you may be able to move to 1803 sooner than you'd planned.

The last 2 releases of the Defender platform on 1709 have been blocking but not notifying, you can test it in PowerShell with the following;
###Begin

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12
$url = 'https://smartscreentestratings2.net/'
$webClient = New-Object System.Net.WebClient
# $webClient.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy() #Use to bypass the proxy if needed
$webClient.DownloadString($url)
###End
You will get an SSL/TLS negotiation error when blocked, add PowerShell(_ise).exe to the Defender exclusion and restart PowerShell, you'll then get a web response.

I've just tested it on Pro 1803 (17134.1) and it works, notifications and blocking. 

We have a few PCs, pre and post 1709, that Defender is completely cutting off the network. In one case deleting wdnsfltr.exe and .sys solved it. Nothing in the Defender Event logs about blocking access to the network or a bad site. We are deploying via Group Policy from Server 2016. Win10 Pro clients.

DH

What platform versions are the affected clients running?

Win 10 Pro.

One was 1709 and the other was 1603.

In the case of 1709, we had to delete wdnsfltr while unjoined.

In the case of 1603, we took it off the domain, applied 1709, rejoined and network came back. wdnsfltr never started up in this case.

DH

What Windows Defender platform version was running at the time of the issues, look at C:\ProgramData\Microsoft\Windows Defender\Platform\x.xx.x.xxx for example. The issues we've seen have been a combination of Defender platform and OS version.

Do you still have issues now with platform 4.14.17639.18041-0?

Both clients are at that version now, but part of the troubleshooting for both was to update them to 1709 so not sure what was there before.

On checking now on other PCs, some platform folders are empty, some are at 4.12.17007.18022-0, etc etc

How do we ensure everyone has current Defender regardless of OS patch level - is there a KB we can quickly push on everyone?

Thanks

DH

Do the clients without the latest platform version have the latest engine and definitions, Get-MpComputerStatus in PowerShell will show you?

Fails on PCs where AVG is still running.

PCs where AVG is gone have been updated to 1709 and so far have the latest Defender.

DH