Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
If you open a Microsoft Support case for an endpoint data loss prevention (DLP) issue, you might be asked to provide diagnostic logs. You can use the Microsoft Defender for Endpoint (MDE) Client Analyzer tool to simplify, standardize, and streamline data collection.
This article offers step-by-step instructions for using the MDE Client Analyzer tool to collect diagnostic logs for your endpoint DLP setup on a Microsoft Windows device.
To analyze the diagnostic results so that you can independently troubleshoot endpoint DLP issues, see Analyze endpoint DLP diagnostic logs.
Tip
For additional resources to troubleshoot endpoint DLP issues, see Troubleshoot and manage DLP for endpoint devices.
Collect diagnostic logs
Follow these steps on a Windows 10 or Windows 11 device:
Extract the content of the downloaded MDEClientAnalyzer.zip file to any folder.
In an elevated command prompt window, navigate to the root folder that contains the extracted content.
At the command prompt, run the following command to start the MDE Client Analyzer tool:
MDEClientAnalyzer.cmd -tThe
-tswitch enables client-side DLP logging (tracing).Note
Don't run the PowerShell script file that's named MDEClientAnalyzer.ps1.
Wait for the tool to generate the following output in the terminal:
Starting Microsoft Defender for Endpoint analyzer process
…
DLP quick diagnosis complete
Do you want to allow MDEClientAnalyzer to collect screen-captures while traces are running?
If yes, make sure you close any windows not related to the issue you are recording such as Outlook or Teams
Type 'Y' and press ENTER to allow Problem Steps Recorder to capture screenshots. Use any other key or ENTER to disable PSR.:If you want the tool to capture screenshots, type 'Y', and then press Enter. Otherwise, just press Enter.
Wait for the tool to generate the following output in the terminal:
Capturing screenshots <enabled/disabled> by user request
Stopping any running WPR trace profiles
Enter the number of minutes to collect traces:Enter the maximum number of minutes for diagnostic data collection, and then press Enter.
Note
Regardless of the minutes value that you enter, you can manually stop data collection at any time.
Wait for the tool to display a blue banner as shown in the following screenshot. The banner displays the message, "Collecting traces, run your scenario now and press 'q' to stop data collection at any time."
Reproduce the endpoint DLP issue that you want to diagnose. For example, if the issue is that users can copy a protected document to a USB removable device, reproduce the issue by copying a protected document to a USB removable device. Make sure that you perform all necessary actions to reproduce the issue.
Press 'q' to stop data collection, and then wait for the tool to generate the following output in the terminal:
WARNING: The trace collection action was ended by user exit command
Stopping and merging Defender Antivirus traces if running
Please enter the full path to the document that was used during log collection…Enter the full path of the protected document surrounded by quotation marks, then press Enter.
Note
To get the full path surrounded by quotation marks, right-click the file in File Explorer, and then select Copy as path.
Wait for the tool to generate the following output in the terminal:
Succeeded to CollectLog at: <root path>\MDEClientAnalyzer\MDEClientAnalyzerResult\MDM\MDMLogs.zip
Generating HealthCheck report…
Compressing results directory…
Result is available at: MDEClientAnalyzerResult_<ID>.zip
Client analysis results opened in browserThe tool opens a webpage in your default browser that's titled MDE Client Analyzer Results.
Find the MDEClientAnalyzerResult_<ID>.zip file in the MDEClientAnalyzer folder, and then extract the file to view the diagnostic logs.
