Collect support logs in Microsoft Defender for Endpoint using live response
Want to experience Defender for Endpoint? Sign up for a free trial.
When contacting support, you may be asked to provide the output package of the Microsoft Defender for Endpoint Client Analyzer tool.
This topic provides instructions on how to run the tool via Live Response.
Download the appropriate script
Initiate a Live Response session on the machine you need to investigate.
Select Upload file to library.
Select Choose file.
Select the downloaded file named MDELiveAnalyzer.ps1 and then click on Confirm
While still in the LiveResponse session, use the commands below to run the analyzer and collect the result file:
Run MDELiveAnalyzer.ps1 GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip"
The latest preview version of MDEClientAnalyzer can be downloaded here: https://aka.ms/Betamdeanalyzer.
The LiveAnalyzer script downloads the troubleshooting package on the destination machine from: https://mdatpclientanalyzer.blob.core.windows.net.
If you cannot allow the machine to reach the above URL, then upload MDEClientAnalyzerPreview.zip file to the library before running the LiveAnalyzer script:
PutFile MDEClientAnalyzerPreview.zip -overwrite Run MDELiveAnalyzer.ps1 GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip"
For more information on gathering data locally on a machine in case the machine isn't communicating with Microsoft Defender for Endpoint cloud services, or does not appear in Microsoft Defender for Endpoint portal as expected, see Verify client connectivity to Microsoft Defender for Endpoint service URLs.
As described in Live response command examples, you may want to use the '&' symbol at the end of the command to collect logs as a background action: