Collect support logs in Microsoft Defender for Endpoint using live response

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

When contacting support, you may be asked to provide the output package of the Microsoft Defender for Endpoint Client Analyzer tool.

This topic provides instructions on how to run the tool via Live Response.

  1. Download the appropriate script

    • Microsoft Defender for Endpoint client sensor logs only: LiveAnalyzer.ps1 script.
      • Result package approximate size: ~100Kb
    • Microsoft Defender for Endpoint client sensor and Antivirus logs: LiveAnalyzer+MDAV.ps1 script.
      • Result package approximate size: ~10Mb
  2. Initiate a Live Response session on the machine you need to investigate.

  3. Select Upload file to library.

    Image of upload file.

  4. Select Choose file.

    Image of choose file button1.

  5. Select the downloaded file named MDELiveAnalyzer.ps1 and then click on Confirm

    Image of choose file button2.

  6. While still in the LiveResponse session, use the commands below to run the analyzer and collect the result file:

    Run MDELiveAnalyzer.ps1
    GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip"
    

    Image of commands.

Note

  • The latest preview version of MDEClientAnalyzer can be downloaded here: https://aka.ms/Betamdeanalyzer.

  • The LiveAnalyzer script downloads the troubleshooting package on the destination machine from: https://mdatpclientanalyzer.blob.core.windows.net.

    If you cannot allow the machine to reach the above URL, then upload MDEClientAnalyzerPreview.zip file to the library before running the LiveAnalyzer script:

    PutFile MDEClientAnalyzerPreview.zip -overwrite
    Run MDELiveAnalyzer.ps1
    GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip"
    
  • For more information on gathering data locally on a machine in case the machine isn't communicating with Microsoft Defender for Endpoint cloud services, or does not appear in Microsoft Defender for Endpoint portal as expected, see Verify client connectivity to Microsoft Defender for Endpoint service URLs.

  • As described in Live response command examples, you may want to use the '&' symbol at the end of the command to collect logs as a background action:

    Run MDELiveAnalyzer.ps1&
    

See also