edits

emmwalshh · emmwalshh · commit 7aafabf156d8 · 2025-04-01T10:45:41.000+01:00
diff --git a/defender-endpoint/data-collection-analyzer.md b/defender-endpoint/data-collection-analyzer.md
@@ -49,7 +49,7 @@ Run `MDEClientAnalyzer.cmd /?` to see the list of available parameters and their
 |`-v`|Uses antivirus [MpCmdRun.exe command line argument](/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) with most verbose -trace flags. |Anytime an advanced troubleshooting is needed. Such as when troubleshooting Cloud Protection (MAPS) reporting failures, Platform Update failures, Engine update failures, Security Intelligence Update failures, False negatives, etc. Can also be used with `-b`, `-c`, `-h`, or `-l`.|`MsMpEng.exe` |
 |`-t` |Starts verbose trace of all client-side components relevant to Endpoint DLP, which is useful for scenarios where [DLP actions](/microsoft-365/compliance/endpoint-dlp-learn-about#endpoint-activities-you-can-monitor-and-take-action-on) aren't happening as expected for files. |When running into issues where the Microsoft Endpoint Data Loss Prevention (DLP) actions expected aren't occurring.|`MpDlpService.exe` |
 |`-q`|Calls into DLPDiagnose.ps1 script from the analyzer `Tools` directory that validates the basic configuration and requirements for Endpoint DLP. |Checks the basic configuration and requirements for Microsoft Endpoint DLP|`MpDlpService.exe`|
-|`-d`|Collects a memory dump of `MsSenseS.exe` (the sensor process on Windows Server 2016 or older OS) and related processes. - \* This flag can be used with above mentioned flags. - \*\* Capturing a memory dump of [PPL protected processes](/windows-hardware/drivers/install/early-launch-antimalware) such as `MsSense.exe` or `MsMpEng.exe` isn't supported by the analyzer at this time.|On Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2 or Windows Server 2016 running w/ the MMA agent and having performance (high cpu or high memory usage) or application compatibility issues. |`MsSenseS.exe`|
+|`-d`|Collects a memory dump of `MsSenseS.exe` (the sensor process on Windows Server 2016 or older OS) and related processes. - \* This flag can be used with above mentioned flags. - \*\* Capturing a memory dump of [PPL protected processes](/windows-hardware/drivers/install/early-launch-antimalware) such as `MsSense.exe` or `MsMpEng.exe` isn't supported by the analyzer at this time.|On Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016 running w/ the MMA agent and having performance (high cpu or high memory usage) or application compatibility issues. |`MsSenseS.exe`|
 |`-z` |Configures registry keys on the machine to prepare it for full machine memory dump collection via [CrashOnCtrlScroll](/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard). This would be useful for analysis of computer freeze issues. \* Hold down the rightmost CTRL key, then press the SCROLL LOCK key twice. |Machine hanging or being unresponsive or slow. High memory usage (Memory leak): a) User mode: Private bytes b) Kernel mode: paged pool or nonpaged pool memory, handle leaks.|`MSSense.exe` or `MsMpEng.exe` |
 |`-k` |Uses [NotMyFault](/sysinternals/downloads/notmyfault) tool to force the system to crash and generate a machine memory dump. This would be useful for analysis of various OS stability issues. |Same as above.|`MSSense.exe` or `MsMpEng.exe` |
 
@@ -66,14 +66,14 @@ The analyzer, and all of the scenario flags listed in this article, can be initi
 
 When you use `RemoteMDEClientAnalyzer.cmd`, it calls into `psexec` to download the tool from the configured file share and then run it locally via `PsExec.exe`.
 
-The CMD script uses the `-r` flag to specify that it is running remotely within SYSTEM context, and so no prompt is presented to the user.
+The CMD script uses the `-r` flag to specify that it's running remotely within SYSTEM context, and so no prompt is presented to the user.
 
 That same flag can be used with `MDEClientAnalyzer.cmd` to avoid a prompt to the user to specify the number of minutes for data collection. For example, consider `MDEClientAnalyzer.cmd -r -i -m 5`.
 
 - `-r` indicates that tool is being run from remote (or non-interactive context).
 - `-i` is the scenario flag for collection of network trace along with other related logs.
 - `-m #` denotes the number of minutes to run (we used 5 minutes in our example).
 
-When using `MDEClientAnalyzer.cmd`, the script checks for privileges using `net session`, which requires the service `Server` to be running. If it's not, you will get the error message _Script is running with insufficient privileges_. Run it with administrator privileges if ECHO is off.
+When using `MDEClientAnalyzer.cmd`, the script checks for privileges using `net session`, which requires the service `Server` to be running. If it's not, you'll get the error message _Script is running with insufficient privileges_. Run it with administrator privileges if ECHO is off.
 
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
diff --git a/defender-endpoint/overview-client-analyzer.md b/defender-endpoint/overview-client-analyzer.md
@@ -26,7 +26,7 @@ ms.date: 04/01/2025
 - [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 
-The [Microsoft Defender for Endpoint Client Analyzer](https://aka.ms/MDEClientAnalyzer) (MDECA) can be useful when diagnosing sensor health or reliability issues on [onboarded devices](onboard-configure.md) running either Windows, Linux, or macOS. For example, you may want to run the analyzer on a machine that appears to be unhealthy according to the displayed [sensor health status](fix-unhealthy-sensors.md) (Inactive, No Sensor Data or Impaired Communications) in the security portal.
+The [Microsoft Defender for Endpoint Client Analyzer](https://aka.ms/MDEClientAnalyzer) (MDECA) can be useful when diagnosing sensor health or reliability issues on [onboarded devices](onboard-configure.md) running either Windows, Linux, or macOS. For example, you might want to run the analyzer on a machine that appears to be unhealthy according to the displayed [sensor health status](fix-unhealthy-sensors.md) (Inactive, No Sensor Data or Impaired Communications) in the security portal.
 
 Besides obvious sensor health issues, MDECA can collect other traces, logs, and diagnostic information for troubleshooting complex scenarios such as:
 
@@ -44,13 +44,13 @@ Besides obvious sensor health issues, MDECA can collect other traces, logs, and
 
 ## Privacy notice
 
-- The Microsoft Defender for Endpoint Client Analyzer tool is regularly used by Microsoft Customer Support Services (CSS) to collect information that will help troubleshoot issues you may be experiencing with Microsoft Defender for Endpoint.
+- The Microsoft Defender for Endpoint Client Analyzer tool is regularly used by Microsoft Customer Support Services (CSS) to collect information that will help troubleshoot issues you might be experiencing with Microsoft Defender for Endpoint.
 
-- The collected data may contain Personally Identifiable Information (PII) and/or sensitive data, such as (but not limited to) IP addresses, PC names, and usernames.
+- The collected data might contain Personally Identifiable Information (PII) and/or sensitive data, such as (but not limited to) IP addresses, PC names, and usernames.
 
 - Once data collection is complete, the tool saves the data locally on the machine within a subfolder and compressed zip file.
 
-- No data is automatically sent to Microsoft. If you are using the tool during collaboration on a support issue, you may be asked to send the compressed data to Microsoft CSS using Secure File Exchange to facilitate the investigation of the issue.
+- No data is automatically sent to Microsoft. If you're using the tool during collaboration on a support issue, you might be asked to send the compressed data to Microsoft CSS using Secure File Exchange to facilitate the investigation of the issue.
 
 For more information about Secure File Exchange, see [How to use Secure File Exchange to exchange files with Microsoft Support](/troubleshoot/azure/general/secure-file-exchange-transfer-files)
 
@@ -62,9 +62,9 @@ For more information about our privacy statement, see [Microsoft Privacy Stateme
 
 - The analyzer can run on supported editions of [Windows](minimum-requirements.md#supported-windows-versions), [Linux](/defender-endpoint/mde-linux-prerequisites), or [macOS](microsoft-defender-endpoint-mac.md#system-requirements) either before of after onboarding to Microsoft Defender for Endpoint.
 
-- For Windows devices, if you are running the analyzer directly on specific machines and not remotely via [Live Response](troubleshoot-collect-support-log.md), then SysInternals [PsExec.exe](/sysinternals/downloads/psexec) should be allowed (at least temporarily) to run. The analyzer calls into PsExec.exe tool to run cloud connectivity checks as Local System and emulate the behavior of the SENSE service.
+- For Windows devices, if you're running the analyzer directly on specific machines and not remotely via [Live Response](troubleshoot-collect-support-log.md), then SysInternals [PsExec.exe](/sysinternals/downloads/psexec) should be allowed (at least temporarily) to run. The analyzer calls into PsExec.exe tool to run cloud connectivity checks as Local System and emulate the behavior of the SENSE service.
 
   > [!NOTE]
-  > On Windows devices, if you use the attack surface reduction rule [Block process creations originating from PSExec and WMI commands](attack-surface-reduction-rules-reference.md#block-process-creations-originating-from-psexec-and-wmi-commands), you might want to temporarily [configure an exclusion to the ASR rule](enable-attack-surface-reduction.md#exclude-files-and-folders-from-attack-surface-reduction-rules). Optionally, you can set the rule to **audit** or you can disable the rule. Making these configurations allows the analyzer to run connectivity checks to cloud without being blocked.
+  > On Windows devices, if you use the attack surface reduction rule [Block process creations originating from PSExec and WMI commands](attack-surface-reduction-rules-reference.md#block-process-creations-originating-from-psexec-and-wmi-commands), you might want to temporarily [configure an exclusion to the ASR rule](enable-attack-surface-reduction.md#exclude-files-and-folders-from-attack-surface-reduction-rules). Optionally, you can set the rule to **audit** or you can disable the rule. Making these configurations allow the analyzer to run connectivity checks to cloud without being blocked.
 
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
diff --git a/defender-endpoint/run-analyzer-linux.md b/defender-endpoint/run-analyzer-linux.md
@@ -379,7 +379,7 @@ A single report `installation_report.json` is generated. The keys in the file ar
 | onboarding_status | The onboarding and ring info |
 | support_status | MDE is supported with the current system configurations |
 | distro | The distro on which the agent is installed in supported or not |
-| connectivitytest | The connectivity test stratus|
+| connectivitytest | The connectivity tests stratus|
 | min_requirement | The minimum requirements for CPU and Memory are met|
 | external_depedency | The external dependencies are satisfied or not |
 | mde_health | Health status of MDE Agent|
diff --git a/defender-endpoint/run-analyzer-macos.md b/defender-endpoint/run-analyzer-macos.md
@@ -84,7 +84,7 @@ The client analyzer depends on few extra PIP packages (`decorator`, `sh`, `distr
 The tool currently requires Python version 3 or later to be installed on your device. If your device is behind a proxy, then you can pass the proxy server as an environment variable to the `mde_support_tool.sh` script. For example: `https_proxy=https://myproxy.contoso.com:8080 ./mde_support_tool.sh"`.
 
 > [!WARNING]
-> Running the Python-based client analyzer requires the installation of PIP packages which could cause some issues in your environment. To avoid issues from occurring, it is recommended that you install the packages into a user PIP environment.
+> Running the Python-based client analyzer requires the installation of PIP packages which could cause some issues in your environment. To avoid issues from occurring, it's recommended that you install the packages into a user PIP environment.
 
 1. Download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer) tool to the Mac machine you're investigating.
 
@@ -127,7 +127,7 @@ The tool currently requires Python version 3 or later to be installed on your de
    ./mde_support_tool.sh
    ```
    
-7. When you download files on macOS, it automatically adds a new extended attribute called com.apple.quarantine which is scanned by Gatekeeper.  Before running, you will want to remove this extended attribute:
+7. When you download files on macOS, it automatically adds a new extended attribute called com.apple.quarantine which is scanned by Gatekeeper.  Before running, you'll want to remove this extended attribute:
 
    ```bash
    xattr -c MDESupportTools
@@ -137,7 +137,7 @@ The tool currently requires Python version 3 or later to be installed on your de
 
       "You might get a "MDESupportTool" Not Opened
 
-      Apple could not verify "MDESupportTool" is free of malware that may harm your Mac or compromise your privacy"
+      Apple couldn't verify "MDESupportTool" is free of malware that might harm your Mac or compromise your privacy"
 
 8. To collect actual diagnostic package and generate the result archive file, run again as root:
 
diff --git a/defender-endpoint/run-analyzer-windows.md b/defender-endpoint/run-analyzer-windows.md
@@ -89,18 +89,18 @@ Example contents after MDEClientAnalyzer.ps1 is modified:
 ## Result package contents on Windows
 
 > [!NOTE]
-> The exact files captured may change depending on factors such as:
+> The exact files captured might change depending on factors such as:
 >
 > - The version of windows on which the analyzer is run.
 > - Event log channel availability on the machine.
-> - The start state of the EDR sensor (Sense is stopped if machine is not yet onboarded).
+> - The start state of the EDR sensor (Sense is stopped if machine isn't yet onboarded).
 > - If an advanced troubleshooting parameter was used with the analyzer command.
 
 By default, the unpacked `MDEClientAnalyzerResult.zip` file contains the items listed in the following table:
 
 | Folder | Item | Description |
 |--|--|--|
-| | `MDEClientAnalyzer.htm` | This is the main HTML output file, which will contain the findings and guidance that the analyzer script run on the machine can produce. |
+| | `MDEClientAnalyzer.htm` | This is the main HTML output file, which contains the findings and guidance that the analyzer script run on the machine can produce. |
 | `SystemInfoLogs` | `AddRemovePrograms.csv` | List of x64 installed software on x64 OS collected from registry |
 | `SystemInfoLogs` | `AddRemoveProgramsWOW64.csv` | List of x86 installed software on x64 OS collected from registry |
 | `SystemInfoLogs` | `CertValidate.log` | Detailed result from certificate revocation executed by calling into [CertUtil](/windows-server/administration/windows-commands/certutil) |
diff --git a/defender-endpoint/troubleshoot-performance-issues.md b/defender-endpoint/troubleshoot-performance-issues.md
@@ -30,7 +30,7 @@ ms.collection:
 - Windows
 - Windows Server
 
-If your system is having high CPU usage or performance issues related to the Microsoft Defender Antivirus (Antimalware Service Executable, MsMpEng.exe, Microsoft Defender Antivirus).
+If your system is having high CPU usage or performance issues related to the Microsoft Defender Antivirus (Anti-malware Service Executable, MsMpEng.exe, Microsoft Defender Antivirus).
 
 As an admin, you can also troubleshoot these issues on your own.
 
diff --git a/defender-endpoint/troubleshoot-settings.md b/defender-endpoint/troubleshoot-settings.md
@@ -31,7 +31,7 @@ Microsoft Defender Antivirus provides numerous ways to manage the product, which
 
 - Microsoft Defender for Endpoint security settings management
 - Microsoft Intune (MDM)
-- Microsoft Configuration Manager with Tenant Attach
+- Microsoft Configuration Manager with Tenant Attaches
 - Microsoft Configuration Manager co-management
 - Microsoft Configuration Manager (standalone)
 - Group Policy (GPO)
@@ -62,11 +62,11 @@ When policies and settings are configured in multiple tools, in general, here's
 1. Microsoft Configuration Manager co-management
 1. Microsoft Configuration Manager (standalone)
 1. Microsoft Intune (MDM)
-1. Microsoft Configuration Manager with Tenant Attach
+1. Microsoft Configuration Manager with Tenant Attaches
 1. PowerShell ([Set-MpPreference](/powershell/module/defender/set-mppreference)), [MpCmdRun.exe](command-line-arguments-microsoft-defender-antivirus.md), or [Windows Management Instrumentation](use-wmi-microsoft-defender-antivirus.md) (WMI).
 
 > [!WARNING]
-> [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) is a Policy CSP setting that does not apply for all settings, such as [attack surface reduction rules](attack-surface-reduction-rules-reference.md) (ASR rules) in Windows 10.
+> [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) is a Policy CSP setting that doesn't apply for all settings, such as [attack surface reduction rules](attack-surface-reduction-rules-reference.md) (ASR rules) in Windows 10.
 
 ## Step 2: Determine where Microsoft Defender Antivirus settings are configured
 
@@ -75,7 +75,7 @@ Find out whether Microsoft Defender Antivirus settings are coming through a poli
 |Policy or setting| Registry location | Tools|
 | -------- | -------- | -------- |
 |Policy| `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`|- Microsoft Defender for Endpoint security settings management<br/>- Microsoft Configuration Manager co-management<br/>- Microsoft Configuration Manager<br/>- GPO|
-|MDM|`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager` |- Microsoft Intune (MDM)<br/>- Microsoft Configuration Manager with Tenant Attach|
+|MDM|`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager` |- Microsoft Intune (MDM)<br/>- Microsoft Configuration Manager with Tenant Attaches|
 |Local setting|`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender`|- MpCmdRun.exe<br/>- PowerShell (Set-MpPreference)<br/>- Windows Management Instrumentation (WMI)|
 
 ## Step 3: Identify policies or settings
@@ -85,7 +85,7 @@ The following table describes how to identify policies and settings.
 |Method used | What to check |
 | -------- | -------- |
 |Policy| - If you're using GPO: Select **Start**, open Command Prompt as an administrator, and then run the command `GpResult.exe /h C:\temp\GpResult_output.html`. <br/>- If you're using Microsoft Configuration Manager co-management or Microsoft Configuration Manager (standalone), go to `C:\Windows\CCM\Logs`.|
-|MDM | If you're using Intune, on your device, select Start, open Command Prompt as an administrator, and then run the command `mdmdiagnosticstool.exe -out "c:\temp\MDMDiagReport.zip"`. For more details, see [Collect MDM logs - Windows Client Management](/windows/client-management/mdm-collect-logs). |
+|MDM | If you're using Intune, on your device, select Start, open Command Prompt as an administrator, and then run the command `mdmdiagnosticstool.exe -out "c:\temp\MDMDiagReport.zip"`. For more information, see [Collect MDM logs - Windows Client Management](/windows/client-management/mdm-collect-logs). |
 |Local setting | Determine whether the policy or setting was deployed during the imaging (sysprep), via PowerShell (for example, Set-MpPreference), Windows Management Instrumentation (WMI), or through a direct modification to the registry.|
 
 ## Step 4: Remove or revise conflicting policies
