Collect support logs in Microsoft Defender for Endpoint using live response
Want to experience Defender for Endpoint? Sign up for a free trial.
When contacting support, you may be asked to provide the output package of the Microsoft Defender for Endpoint Client Analyzer tool.
This topic provides instructions on how to run the tool via Live Response.
Download and fetch the required scripts available from within the 'Tools' sub-directory of the Microsoft Defender for Endpoint Client Analyzer.
For example, to get the basic sensor and device health logs, fetch "..\Tools\MDELiveAnalyzer.ps1".
If you also require Defender Antivirus support logs (MpSupportFiles.cab), then fetch "..\Tools\MDELiveAnalyzerAV.ps1"
Initiate a Live Response session on the machine you need to investigate.
Select Upload file to library.
Select Choose file.
Select the downloaded file named MDELiveAnalyzer.ps1 and then click on Confirm
While still in the LiveResponse session, use the commands below to run the analyzer and collect the result file:
Run MDELiveAnalyzer.ps1 GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip"
The latest preview version of MDEClientAnalyzer can be downloaded here: https://aka.ms/Betamdeanalyzer.
The LiveAnalyzer script downloads the troubleshooting package on the destination machine from: https://mdatpclientanalyzer.blob.core.windows.net.
If you cannot allow the machine to reach the above URL, then upload MDEClientAnalyzerPreview.zip file to the library before running the LiveAnalyzer script:
PutFile MDEClientAnalyzerPreview.zip -overwrite Run MDELiveAnalyzer.ps1 GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip"
For more information on gathering data locally on a machine in case the machine isn't communicating with Microsoft Defender for Endpoint cloud services, or does not appear in Microsoft Defender for Endpoint portal as expected, see Verify client connectivity to Microsoft Defender for Endpoint service URLs.
As described in Live response command examples, you may want to use the '&' symbol at the end of the command to collect logs as a background action:
- Client analyzer overview
- Download and run the client analyzer
- Run the client analyzer on Windows
- Run the client analyzer on macOS or Linux
- Data collection for advanced troubleshooting on Windows
- Understand the analyzer HTML report
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.