Merge pull request #3116 from MicrosoftDocs/MDEClientAnalyzerPreview

denisebmsft · web-flow · commit d46cb4355082 · 2025-03-12T10:18:04.000-07:00
Mde client analyzer preview
diff --git a/defender-endpoint/configure-device-connectivity.md b/defender-endpoint/configure-device-connectivity.md
@@ -14,7 +14,7 @@ ms.collection:
 ms.reviewer: pahuijbr
 search.appverid: MET150
 audience: ITPro
-ms.date: 02/04/2025
+ms.date: 03/12/2025
 ---
 
 # Onboarding devices using streamlined connectivity for Microsoft Defender for Endpoint 
@@ -170,11 +170,11 @@ The following preonboarding checks can be run on both Windows and Xplat MDE Clie
 
 To test streamlined connectivity for devices not yet onboarded to Defender for Endpoint, you can use the Client Analyzer for Windows using the following commands: 
 
-- Run `mdeclientanalyzer.cmd -o <path to cmd file>`  from within MDEClientAnalyzer folder. The command uses parameters from onboarding package to test connectivity.
+- Run `mdeclientanalyzer.cmd -o <path to cmd file>`  from within the MDEClientAnalyzer folder. The command uses parameters from onboarding package to test connectivity.
 
 - Run `mdeclientanalyzer.cmd -g <GW_US, GW_UK, GW_EU>` , where parameter is of GW_US, GW_EU, GW_UK. GW refers to the streamlined option. Run with applicable tenant geo.
 
-As a supplementary check, you can also use the client analyzer to test whether a device meets prerequisites: https://aka.ms/MDEClientAnalyzerPreview
+As a supplementary check, you can also use the client analyzer to test whether a device meets prerequisites: [MDEClientAnalyzerPreview.zip]{https://aka.ms/MDEClientAnalyzerPreview}.
  
 
 > [!NOTE]
diff --git a/defender-endpoint/download-client-analyzer.md b/defender-endpoint/download-client-analyzer.md
@@ -16,7 +16,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: ngp
 search.appverid: met150
-ms.date: 02/21/2024
+ms.date: 03/12/2025
 ---
 
 # Download the Microsoft Defender for Endpoint client analyzer
@@ -29,13 +29,12 @@ Learn how to download the Microsoft Defender for Endpoint client analyzer on sup
 
 ## Download client analyzer for Windows OS
 
-1. The latest stable edition is available for download from following URL: <https://aka.ms/MDEAnalyzer>
-2. The latest preview edition is available for download from following URL: <https://aka.ms/MDEClientAnalyzerPreview>
+- The latest *stable* edition is available for download at [https://aka.ms/MDEAnalyzer](https://aka.ms/MDEAnalyzer).
+- The latest *preview* edition is available for download at [https://aka.ms/MDEClientAnalyzerPreview](https://aka.ms/MDEClientAnalyzerPreview).
 
 ## Download client analyzer for macOS or Linux
 
-1. The latest stable edition will be integrated into the Microsoft Defender for Endpoint agent. Ensure that you are running the latest edition for either [macOS](mac-whatsnew.md) or [Linux](linux-whatsnew.md).
-
-2. The latest preview edition is available for direct download from following URL: <https://aka.ms/XMDEClientAnalyzer>
+- The latest stable edition is integrated into the Microsoft Defender for Endpoint agent. Ensure that you are running the latest edition for either [macOS](mac-whatsnew.md) or [Linux](linux-whatsnew.md).
+- The latest *preview* edition is available for download at [https://aka.ms/XMDEClientAnalyzer](https://aka.ms/XMDEClientAnalyzer).
 
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
diff --git a/defender-endpoint/run-analyzer-windows.md b/defender-endpoint/run-analyzer-windows.md
@@ -17,7 +17,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: ngp
 search.appverid: met150
-ms.date: 05/05/2024
+ms.date: 03/12/2025
 ---
 
 # Run the client analyzer on Windows
@@ -32,15 +32,14 @@ You can collect the Defender for Endpoint analyzer support logs remotely using [
 
 ## Option 2: Run MDE Client Analyzer locally
 
-1. Download the [MDE Client Analyzer tool](https://aka.ms/mdatpanalyzer) or [Beta MDE Client Analyzer tool](https://aka.ms/MDEClientAnalyzerPreview) to the Windows device you want to investigate.
+1. Download the [MDE Client Analyzer tool](https://aka.ms/mdatpanalyzer) or [MDE Client Analyzer tool (preview)](https://aka.ms/MDEClientAnalyzerPreview) to the Windows device you want to investigate. The file is saved to your Downloads folder by default.
 
-   The file is saved to your Downloads folder by default.
-
-2. Extract the contents of MDEClientAnalyzer.zip to an available folder.
+2. Extract the contents of `MDEClientAnalyzer.zip` to an available folder.
 
 3. Open a command line with administrator permissions: 
 
    1. Go to **Start** and type **cmd**.
+   
    1. Right-click **Command prompt** and select **Run as administrator**.
 
 4. Type the following command and then press **Enter**:
@@ -86,93 +85,30 @@ Example contents after MDEClientAnalyzer.ps1 is modified:
 > - The start state of the EDR sensor (Sense is stopped if machine is not yet onboarded).
 > - If an advanced troubleshooting parameter was used with the analyzer command.
 
-By default, the unpacked MDEClientAnalyzerResult.zip file contains the following items.
-
-- MDEClientAnalyzer.htm
-
-  This is the main HTML output file, which will contain the findings and guidance that the analyzer script run on the machine can produce.
-
-- SystemInfoLogs [Folder]
-
-  - AddRemovePrograms.csv
-
-    Description: List of x64 installed software on x64 OS collected from registry.
-
-  - AddRemoveProgramsWOW64.csv
-
-    Description: List of x86 installed software on x64 OS collected from registry.
-
-    - CertValidate.log
-
-      Description: Detailed result from certificate revocation executed by calling into [CertUtil](/windows-server/administration/windows-commands/certutil).
-
-    - dsregcmd.txt
-
-      Description: Output from running [dsregcmd](/azure/active-directory/devices/troubleshoot-device-dsregcmd). This provides details about the Microsoft Entra status of the machine.
-
-    - IFEO.txt
-
-      Description: Output of [Image File Execution Options](/previous-versions/windows/desktop/xperf/image-file-execution-options) configured on the machine
-
-    - MDEClientAnalyzer.txt
-
-      Description: This is verbose text file showing with details of the analyzer script execution.
-
-    - MDEClientAnalyzer.xml
-
-      Description: XML format containing the analyzer script findings.
-
-    - RegOnboardedInfoCurrent.Json
-
-      Description: The onboarded machine information gathered in JSON format from the registry.
-
-  - RegOnboardingInfoPolicy.Json
-
-    Description: The onboarding policy configuration gathered in JSON format from the registry.
-
-    - SCHANNEL.txt
-
-      Description: Details about [SCHANNEL configuration](/windows-server/security/tls/manage-tls) applied to the machine such gathered from registry.
-
-    - SessionManager.txt
-
-      Description: Session Manager specific settings gather from registry.
-
-    - SSL_00010002.txt
-
-      Description: Details about [SSL configuration](/windows-server/security/tls/manage-tls) applied to the machine gathered from registry.
-
-- EventLogs [Folder]
-
-  - utc.evtx
-
-    Description: Export of DiagTrack event log
-
-  - senseIR.evtx
-
-    Description: Export of the Automated Investigation event log
-
-  - sense.evtx
-
-    Description: Export of the Sensor main event log
-
-  - OperationsManager.evtx
-
-    Description: Export of the Microsoft Monitoring Agent event log
-
-- MdeConfigMgrLogs [Folder]
-
-  - SecurityManagementConfiguration.json
-
-    Description: Configurations sent from MEM (Microsoft Endpoint Manager) for enforcement.
-
-  - policies.json
-
-    Description: Policies settings to be enforced on the device.
-
-  - report_xxx.json
-
-    Description: Corresponding enforcement results.
+By default, the unpacked `MDEClientAnalyzerResult.zip` file contains the items listed in the following table:
+
+| Folder | Item | Description |
+|--|--|--|
+| | `MDEClientAnalyzer.htm` | This is the main HTML output file, which will contain the findings and guidance that the analyzer script run on the machine can produce. |
+| `SystemInfoLogs` | `AddRemovePrograms.csv` | List of x64 installed software on x64 OS collected from registry |
+| `SystemInfoLogs` | `AddRemoveProgramsWOW64.csv` | List of x86 installed software on x64 OS collected from registry |
+| `SystemInfoLogs` | `CertValidate.log` | Detailed result from certificate revocation executed by calling into [CertUtil](/windows-server/administration/windows-commands/certutil) |
+| `SystemInfoLogs` | `dsregcmd.txt` | Output from running [dsregcmd](/azure/active-directory/devices/troubleshoot-device-dsregcmd). This provides details about the Microsoft Entra status of the machine. |
+| `SystemInfoLogs` | `IFEO.txt` | Output of [Image File Execution Options](/previous-versions/windows/desktop/xperf/image-file-execution-options) configured on the machine |
+| `SystemInfoLogs` | `MDEClientAnalyzer.txt` | This is verbose text file showing with details of the analyzer script execution. |
+| `SystemInfoLogs` | `MDEClientAnalyzer.xml` | XML format containing the analyzer script findings |
+| `SystemInfoLogs` | `RegOnboardedInfoCurrent.Json` | The onboarded machine information gathered in JSON format from the registry |
+| `SystemInfoLogs` | `RegOnboardingInfoPolicy.Json` | The onboarding policy configuration gathered in JSON format from the registry |
+| `SystemInfoLogs` | `SCHANNEL.txt` | Details about [SCHANNEL configuration](/windows-server/security/tls/manage-tls) applied to the machine such gathered from registry | 
+| `SystemInfoLogs` | `SessionManager.txt` | Session Manager specific settings gather from registry |
+| `SystemInfoLogs` | `SSL_00010002.txt` | Details about [SSL configuration](/windows-server/security/tls/manage-tls) applied to the machine gathered from registry |
+| `EventLogs` | `utc.evtx` | Export of DiagTrack event log |
+| `EventLogs` | `senseIR.evtx` | Export of the Automated Investigation event log |
+| `EventLogs` | `sense.evtx` | Export of the Sensor main event log |
+| `EventLogs` | `OperationsManager.evtx` | Export of the Microsoft Monitoring Agent event log |
+| `MdeConfigMgrLogs` | `SecurityManagementConfiguration.json` | Configurations sent from MEM (Microsoft Endpoint Manager) for enforcement |
+| `MdeConfigMgrLogs` | `policies.json` | Policies settings to be enforced on the device |
+| `MdeConfigMgrLogs` | `report_xxx.json` | Corresponding enforcement results |
 
 
 ## See also
diff --git a/defender-endpoint/troubleshoot-collect-support-log.md b/defender-endpoint/troubleshoot-collect-support-log.md
@@ -65,9 +65,10 @@ This article provides instructions on how to run the tool via Live Response on W
 
    [![Image of commands.](media/analyzer-commands.png)](media/analyzer-commands.png#lightbox)
    
+
 ### Additional information
 
-- The latest preview version of MDEClientAnalyzer can be downloaded here: <https://aka.ms/MDEClientAnalyzerPreview>.
+- The latest *preview* version of MDE Client Analyzer can be downloaded at [https://aka.ms/MDEClientAnalyzerPreview](https://aka.ms/MDEClientAnalyzerPreview).
 
 - For more information on gathering data locally on a machine in case the machine isn't communicating with Microsoft Defender for Endpoint cloud services, or doesn't appear in Microsoft Defender for Endpoint portal as expected, see [Verify client connectivity to Microsoft Defender for Endpoint service URLs](verify-connectivity.md).
 
diff --git a/defender-endpoint/troubleshoot-security-config-mgt.md b/defender-endpoint/troubleshoot-security-config-mgt.md
@@ -60,7 +60,7 @@ The following table lists errors and directions on what to try/check in order to
 
 |Error Code|Enrollment Status|Administrator Actions|
 |---|---|---|
-|`5-7`, `9`, `11-12`, `26-33`|General error|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow. This could be due to the device not meeting [prerequisites for Microsoft Defender for Endpoint management channel](/mem/intune/protect/mde-security-integration). Running the [Client Analyzer](https://aka.ms/MDEClientAnalyzerPreview) on the device can help identify the root cause of the issue. If this doesn't help, contact support.|
+|`5-7`, `9`, `11-12`, `26-33`|General error|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow. This could be due to the device not meeting [prerequisites for Microsoft Defender for Endpoint management channel](/mem/intune/protect/mde-security-integration). Running the [MDE Client Analyzer (preview)](https://aka.ms/MDEClientAnalyzerPreview) on the device can help identify the root cause of the issue. If this doesn't help, contact support.|
 | `8`, `44` | Microsoft Intune Configuration issue | The device was successfully onboarded to Microsoft Defender for Endpoint. However, Microsoft Intune hasn't been configured through the Admin Center to allow Microsoft Defender for Endpoint Security Configuration. Make sure the [Microsoft Intune tenant is configured and the feature is turned on](/mem/intune/protect/mde-security-integration#configure-your-tenant-to-support-microsoft-defender-for-endpoint-security-configuration-management).|
 |`13-14`,`20`,`24`,`25`|Connectivity issue|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow, which could be due to a connectivity issue. Verify that the [Microsoft Entra ID and Microsoft Intune endpoints](/mem/intune/protect/mde-security-integration#connectivity-requirements) are opened in your firewall.|
 |`10`,`42`|General Hybrid join failure|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow and the OS failed to perform hybrid join. Use [Troubleshoot Microsoft Entra hybrid joined devices](/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current) for troubleshooting OS-level hybrid join failures.|
@@ -72,7 +72,7 @@ The following table lists errors and directions on what to try/check in order to
 |`40`|Clock sync issue|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow. Verify that the clock is set correctly and is synced on the device where the error occurs.|
 |`43`|MDE and ConfigMgr|The device is managed using Configuration Manager and Microsoft Defender for Endpoint. Controlling policies through both channels may cause conflicts and undesired results. To avoid this, endpoint security policies should be isolated to a single control plane. |
 |`2`|Device is not enrolled and has never been enrolled|The device was successfully onboarded to Microsoft Defender for Endpoint. However, it is not enrolled to be managed by Defender for Endpoint. For more information, see [Configure Microsoft Defender for Endpoint](/mem/intune/protect/mde-security-integration?pivots=mdssc-preview). |
-|`4`|Device is managed by SCCM Agent|The device was successfully onboarded to Microsoft Defender for Endpoint. However, it is configured to be managed by SCCM. In order for the machine to be managed by MDE go to  Settings > Endpoints > Configuration Management > Enforcement Scope and turn of the "Manage Security setting using Configuration Manager" toggle. For more information on co-existence with Configuration Manager, see [here](/mem/intune/protect/mde-security-integration#co-existence-with-microsoft-endpoint-configuration-manager). |
+|`4`|Device is managed by SCCM Agent|The device was successfully onboarded to Microsoft Defender for Endpoint. However, it is configured to be managed by SCCM. In order for the machine to be managed by MDE go to  Settings > Endpoints > Configuration Management > Enforcement Scope and turn of the "Manage Security setting using Configuration Manager" toggle. For more information on co-existence with Configuration Manager, see [Defender for Endpoint integration with Configuration Manager](/mem/intune/protect/mde-security-integration#co-existence-with-microsoft-endpoint-configuration-manager). |
 
 ## Related topic
 
