Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to:
The Microsoft Defender for Endpoint Client Analyzer (MDECA) can be useful when diagnosing sensor health or reliability issues on onboarded devices running either Windows, Linux, or macOS. For example, you might want to run the analyzer on a machine that appears to be unhealthy according to the displayed sensor health status (Inactive, No Sensor Data or Impaired Communications) in the security portal.
Besides obvious sensor health issues, MDECA can collect other traces, logs, and diagnostic information for troubleshooting complex scenarios such as:
- Application compatibility (AppCompat), performance, network connectivity, or
- Unexpected behavior related to Endpoint Data Loss Prevention.
Use the client analyzer on devices running Windows, Linux, or macOS
- Run the client analyzer on Windows
- Run the client analyzer on Linux
- Run the client analyzer on macOS
Tip
Watch this video to get an overview of the client analyzer: Defender for Endpoint client analyzer overview
Privacy notice
The Microsoft Defender for Endpoint Client Analyzer tool is regularly used by Microsoft Customer Support Services (CSS) to collect information that will help troubleshoot issues you might be experiencing with Microsoft Defender for Endpoint.
The collected data might contain Personally Identifiable Information (PII) and/or sensitive data, such as (but not limited to) IP addresses, PC names, and usernames.
Once data collection is complete, the tool saves the data locally on the machine within a subfolder and compressed zip file.
No data is automatically sent to Microsoft. If you're using the tool during collaboration on a support issue, you might be asked to send the compressed data to Microsoft CSS using Secure File Exchange to facilitate the investigation of the issue.
For more information about Secure File Exchange, see How to use Secure File Exchange to exchange files with Microsoft Support
For more information about our privacy statement, see Microsoft Privacy Statement.
Requirements
Before running the analyzer, we recommend ensuring your proxy or firewall configuration allows access to Microsoft Defender for Endpoint service URLs.
The analyzer can run on supported editions of Windows, Linux, or macOS either before of after onboarding to Microsoft Defender for Endpoint.
For Windows devices, if you're running the analyzer directly on specific machines and not remotely via Live Response, then SysInternals PsExec.exe should be allowed (at least temporarily) to run. The analyzer calls into PsExec.exe tool to run cloud connectivity checks as Local System and emulate the behavior of the SENSE service.
Note
On Windows devices, if you use the attack surface reduction rule Block process creations originating from PSExec and WMI commands, you might want to temporarily configure an exclusion to the ASR rule. Optionally, you can set the rule to audit or you can disable the rule. Making these configurations allow the analyzer to run connectivity checks to cloud without being blocked.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.