Troubleshooting Microsoft Defender for Endpoint – Windows

It can be tricky to obtain information about the status of Microsoft Defender for Endpoint clients if they are not behaving as expected.

The ‘Microsoft Defender for Endpoint Client Analyzer’ (MDECA) tool addresses this issue by providing a quick to run, and easy to read report in HTML format, alongside a compilation of relevant event logs and diagnostic information. If the HTML report itself doesn’t detail enough information about the issue, delving deeper into the diagnostic logs will show much more granular detail.

Should the result of this be that you can’t identify or resolve the issue, these files can be provided to Microsoft support for further analysis. There are some other commands that can be used with the tool for advanced and specific troubleshooting.

The tool supports Windows, Linux and MacOS clients, and this post demonstrates the steps required to run the tool and the expected output from a Windows perspective.

The tool can be run locally on the device, or remotely via a Live response session from the Defender portal.

Local

1. Download the Microsoft Defender for Endpoint Client Analyzer tool –

https://aka.ms/MDEAnalyzer

2. Extract the ‘MDEClientAnalyzer.zip’ contents on the device.

3. Launch the command prompt as admin, and run the ‘MDECientAnalyzer.cmd’ file.

4. Accept the EULA.

5. The tests will run, and results are written to the command prompt window. Additionally, the HTML report is created and presented at completion.

6. Use the output of the tool to understand potential issues or areas of misconfiguration.

7. Alongside the HTML report, logs and other useful diagnostic files are exported to the ‘MDEClientAnalyzerResult’ folder location. This includes –

  • System info logs
    • Installed programs
    • Certificates
    • Device join (dsregcmd)
    • Image file
    • Windows Updates
    • Device info
    • Onbooarding
  • MDE ConfigMgr logs
    • Policies applied
    • Enrolment detail
  • Event logs
    • Azure Active Directory Runtime
    • Azure Active Directory Operational
    • Malware protection signature stub updates
    • Sense service
    • Telemetry client (UTC)

The logs can then be looked into further. For example, the MDEClientAnalyzer.txt file will show the connectivity tests completed, and results for each –

The policies.json file will detail current configuration, such as Defender scanning configuration values –

Live response

To run the tool remotely via a Live response session, go to the Defender portal, locate the device, and initiate a Live response session.

  1. select ‘Upload file to library’

2. Upload the MDELiveAnalyzer.ps1 file from the MDEClientAnalyzer\Tools\ directory

3. Run the script with the Run MDELiveAnalyzer.ps1 command

4. Output is shown on the console and exported as a zip file which can be downloaded to the device where the Live response session was initiated with the following command – GetFile “C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip”

The download initiates the same as any other browser based download.

Advanced troubleshooting can be completed using switches with the MDEClientAnalyzer.cmd tool, and these are detailed here – https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/data-collection-analyzer?view=o365-worldwide

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: