![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Microsoft 365 and Office | Microsoft 365 Defender | Other | Windows
An integrated threat protection solution designed to detect, investigate, and respond to cyber threats across Microsoft 365 services.
Hello
I am Abdal and I would be glad to help you with your question.
There are a few reasons why the defender might not be collecting MpSupportFiles when you execute the MDEClientAnalyzer script from live response session. Here are some things to check:
Make sure that the machine you are running the script on has internet access. The MDEClientAnalyzer script downloads the MpSupportFiles.cab file from the internet, so if the machine doesn't have internet access, the file won't be downloaded.
Make sure that the MDEClientAnalyzer script is running with elevated privileges. The script needs to be able to access the MpSupportFiles.cab file, which is located in the Windows Defender folder. If the script is not running with elevated privileges, it will not be able to access the file.
Make sure that the MDEClientAnalyzer script is not being blocked by a firewall or antivirus program. Some firewalls and antivirus programs can block scripts from running, so you may need to add an exception for the MDEClientAnalyzer script.
If you have checked all of these things and the defender is still not collecting MpSupportFiles, you can try the following:
Try running the MDEClientAnalyzer script from a different machine. If the script works on a different machine, then the problem is likely with the machine that you are originally trying to run it on.
Try downloading the MpSupportFiles.cab file manually and then running the MDEClientAnalyzer script with the file as an argument. This will bypass the need for the script to download the file from the internet.
Here are the commands to run the MDEClientAnalyzer script:
Run MDEClientAnalyzer.ps1 GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip"
The first command will run the MDEClientAnalyzer script. The second command will save the output of the script to a file called MDEClientAnalyzerResult.zip. This file will contain the MpSupportFiles.cab file, as well as other logs and diagnostic data.
You can also refer the below article for more detailed information https://learn.microsoft.com/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log
I hope this information helps.
Regards,
Abdal
Give back to the community. Help the next person with this problem by indicating whether this answer solved your problem. Click Yes or No at the bottom.