From af301244eb1849365dceb70583588c9a2b173f42 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Thu, 4 Jul 2019 13:53:53 -0700
Subject: [PATCH] troubleshoot live response

---
 windows/security/threat-protection/TOC.md     |  5 ++
 .../microsoft-defender-atp/TOC.md             |  6 +-
 .../troubleshoot-live-response.md             | 56 +++++++++++++++++++
 3 files changed, 66 insertions(+), 1 deletion(-)
 create mode 100644 windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index e054a66443..9535492f02 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -421,6 +421,11 @@
 #### [Troubleshoot Microsoft Defender ATP service issues](microsoft-defender-atp/troubleshoot-mdatp.md)
 ##### [Check service health](microsoft-defender-atp/service-status.md)
 
+
+#### [Troubleshoot live response issues]()
+##### [Troubleshoot issues related to live response](microsoft-defender-atp/troubleshoot-live-response.md)
+
+
 ####Troubleshoot attack surface reduction
 ##### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md)
 ##### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/TOC.md b/windows/security/threat-protection/microsoft-defender-atp/TOC.md
index 881293505c..44f14073d3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md
@@ -417,10 +417,14 @@
 ### [Troubleshoot Microsoft Defender ATP service issues](troubleshoot-mdatp.md)
 #### [Check service health](service-status.md)
 
+
+### [Troubleshoot live response issues]()
+#### [Troubleshoot issues related to live response](troubleshoot-live-response.md)
+
 ### Troubleshoot attack surface reduction
 #### [Network protection](../windows-defender-exploit-guard/troubleshoot-np.md)
 #### [Attack surface reduction rules](../windows-defender-exploit-guard/troubleshoot-asr.md)
-#### [Collect diagnostic data for files](../windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md)
+#### [Collect diagnostic data for files](../windows-defender-exploit-guard/troubleshoot-np.md)
 
  
 ### [Troubleshoot next generation protection](../windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
new file mode 100644
index 0000000000..c9f75c07aa
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
@@ -0,0 +1,56 @@
+---
+title: Troubleshoot Microsoft Defender ATP live response issues
+description: Troubleshoot issues that might arise when using live response in Microsoft Defender ATP 
+keywords: troubleshoot live response, live, response, locked, file
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: troubleshooting
+---
+
+# Troubleshoot Microsoft Defender Advanced Threat Protection live response issues
+
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+
+This page provides detailed steps to troubleshoot live response issues.
+
+## File cannot be accessed during live response sessions
+If while trying to take an action during a live response session, you encounter an error message stating that the file can't be accessed, you'll need to use the steps below to address the issue.
+
+1.	Copy the following script code snippet and save it as a PS1 file:
+
+    ```
+    $copied_file_path=$args[0] 
+    $action=Copy-Item $copied_file_path -Destination $env:TEMP -PassThru -ErrorAction silentlyContinue
+        
+    if ($action){
+         Write-Host "You copied the file specified in $copied_file_path to $env:TEMP Succesfully"
+    }
+    
+    else{
+        Write-Output "Error occoured while trying to copy a file, details:"
+        Write-Output  $error[0].exception.message
+ 
+    }
+    ```
+
+
+2.	Add the script to the live response library.
+3.	Run the script with one parameter: the file path of the file to be copied.
+4.	Navigate to your TEMP folder.
+5.	Run the action you wanted to take on the copied file.
+
+
+