deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #2952 from kurtsarens/kurtsarens

Browse Source 
Update manage-updates-baselines-windows-defender-antivirus.md
This commit is contained in:
Denise Vangel-MSFT 2020-06-01 14:06:53 -07:00 committed by GitHub
commit d8eaa73016
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 123 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md
View File

@ -1,67 +0,0 @@
---
title: Collect diagnostic data for Update Compliance and Windows Defender Windows Defender Antivirus
description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Windows Defender Antivirus Assessment add in
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, windows defender av
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
---
# Collect Update Compliance diagnostic data for Windows Defender AV Assessment
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Windows Defender AV Assessment section in the Update Compliance add-in.
Before attempting this process, ensure you have read [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md), met all require prerequisites, and taken any other suggested troubleshooting steps.
On at least two devices that are not reporting or showing up in Update Compliance, obtain the .cab diagnostic file by taking the following steps:
1. Open an administrator-level version of the command prompt as follows:
a. Open the **Start** menu.
b. Type **cmd**. Right-click on **Command Prompt** and click **Run as administrator**.
c. Enter administrator credentials or approve the prompt.
2. Navigate to the Windows Defender directory. By default, this is `C:\Program Files\Windows Defender`.
3. Type the following command, and then press **Enter**
```Dos
mpcmdrun -getfiles
```
4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`.
5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
6. Send an email using the <a href="mailto:ucsupport@microsoft.com?subject=WDAV assessment issue&body=I%20am%20encountering%20the%20following%20issue%20when%20using%20Windows%20Defender%20AV%20in%20Update%20Compliance%3a%20%0d%0aI%20have%20provided%20at%20least%202%20support%20.cab%20files%20at%20the%20following%20location%3a%20%3Caccessible%20share%2c%20including%20access%20details%20such%20as%20password%3E%0d%0aMy%20OMS%20workspace%20ID%20is%3a%20%0d%0aPlease%20contact%20me%20at%3a">Update Compliance support email template</a>, and fill out the template with the following information:
```
I am encountering the following issue when using Windows Defender Antivirus in Update Compliance:
I have provided at least 2 support .cab files at the following location: <accessible share, including access details such as password>
My OMS workspace ID is:
Please contact me at:
```
## See also
- [Troubleshoot Windows Defender Windows Defender Antivirus reporting](troubleshoot-reporting.md)

97
windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data.md Normal file
View File

@ -0,0 +1,97 @@
---
title: Collect diagnostic data of Windows Defender Windows Defender Antivirus
description: Use a tool to collect data to troubleshoot Windows Defender Antivirus
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, windows defender av
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
---
# Collect Windows Defender AV diagnostic data
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Windows Defender AV.
On at least two devices that are experiencing the same issue, obtain the .cab diagnostic file by taking the following steps:
1. Open an administrator-level version of the command prompt as follows:
a. Open the **Start** menu.
b. Type **cmd**. Right-click on **Command Prompt** and click **Run as administrator**.
c. Enter administrator credentials or approve the prompt.
2. Navigate to the Windows Defender directory. By default, this is `C:\Program Files\Windows Defender`.
> [!NOTE]
> If you're running an updated Windows Defender Platform version, please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\<version>`.
3. Type the following command, and then press **Enter**
```Dos
mpcmdrun.exe -GetFiles
```
4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`.
> [!NOTE]
> To redirect the cab file to a a different path or UNC share, use the below command:
> `mpcmdrun.exe -GetFiles -SupportLogLocation <path>`
> for more information see '[Redirect diagnostic data to a UNC share](#Redirect-diagnostic-data-to-a-UNC-share)'
5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
> [!NOTE]
>If you have a problem with Update compliance, send an email using the <a href="mailto:ucsupport@microsoft.com?subject=WDAV assessment issue&body=I%20am%20encountering%20the%20following%20issue%20when%20using%20Windows%20Defender%20AV%20in%20Update%20Compliance%3a%20%0d%0aI%20have%20provided%20at%20least%202%20support%20.cab%20files%20at%20the%20following%20location%3a%20%3Caccessible%20share%2c%20including%20access%20details%20such%20as%20password%3E%0d%0aMy%20OMS%20workspace%20ID%20is%3a%20%0d%0aPlease%20contact%20me%20at%3a">Update Compliance support email template</a>, and fill out the template with the following information:
>```
> I am encountering the following issue when using Windows Defender Antivirus in Update Compliance:
> I have provided at least 2 support .cab files at the following location:
> <accessible share, including access details such as password>
>
> My OMS workspace ID is:
>
> Please contact me at:
## Redirect diagnostic data to a UNC share
To collect diagnostic data on a central repository, you can specify the SupportLogLocation parameter.
```Dos
mpcmdrun.exe -GetFiles -SupportLogLocation <path>
```
Copies the diagnostic data to the specified path. If the path is not specified, the diagnostic data will be copied to the location specified in the Support Log Location Configuration.
When the SupportLogLocation parameter is used, a folder structure as below will be created in the destination path:
```Dos
<path>\<MMDD>\MpSupport-<hostname>-<HHMM>.cab
```
| field | Description |
|:----|:----|
| path | The path as specified on the commandline or retrieved from configuration
| MMDD | Month Day when the diagnostic data was collected (eg 0530)
| hostname | the hostname of the device on which the diagnostic data was collected.
| HHMM | Hours Minutes when the diagnostic data was collected (eg 1422)
> [!NOTE]
> When using a File share please make sure that account used to collect the diagnostic package has write access to the share.
## See also
- [Troubleshoot Windows Defender Windows Defender Antivirus reporting](troubleshoot-reporting.md)

5
windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
View File

@ -36,7 +36,7 @@ MpCmdRun.exe [command] [-options]
```
Here's an example:
```
MpCmdRun.exe -scan -2
MpCmdRun.exe -Scan -ScanType 2
```
| Command | Description |
@ -44,7 +44,7 @@ MpCmdRun.exe -scan -2
| `-?` **or** `-h` | Displays all available options for this tool |
| `-Scan [-ScanType [0\|1\|2\|3]] [-File <path> [-DisableRemediation] [-BootSectorScan] [-CpuThrottling]] [-Timeout <days>] [-Cancel]` | Scans for malicious software. Values for **ScanType** are: **0** Default, according to your configuration, **-1** Quick scan, **-2** Full scan, **-3** File and directory custom scan. CpuThrottling will honor the configured CPU throttling from policy |
| `-Trace [-Grouping #] [-Level #]` | Starts diagnostic tracing |
| `-GetFiles` | Collects support information |
| `-GetFiles [-SupportLogLocation <path>]` | Collects support information. See '[collecting diagnostic data](collect-diagnostic-data.md)' |
| `-GetFilesDiagTrack` | Same as `-GetFiles`, but outputs to temporary DiagTrack folder |
| `-RemoveDefinitions [-All]` | Restores the installed Security intelligence to a previous backup copy or to the original default set |
| `-RemoveDefinitions [-DynamicSignatures]` | Removes only the dynamically downloaded Security intelligence |
@ -58,5 +58,6 @@ MpCmdRun.exe -scan -2
## Related topics
- [Reference topics for collecting diagnostic data](collect-diagnostic-data.md)
- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

23
windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
View File

@ -58,11 +58,32 @@ All our updates contain:
* serviceability improvements
* integration improvements (Cloud, MTP)
<br/>
<details>
<summary> May-2020 (Platform: 4.18.2005.4 | Engine: 1.1.17100.2)</summary>
&ensp;Security intelligence update version: **1.317.20.0**
&ensp;Released: **May 26, 2020**
&ensp;Platform: **4.18.2005.4**
&ensp;Engine: **1.1.17100.2**
&ensp;Support phase: **Security and Critical Updates**
### What's new
* Improved logging for scan events
* Improved user mode crash handling.
* Added event tracing for Tamper protection
* Fixed AMSI Sample submission
* Fixed AMSI Cloud blocking
* Fixed Security update install log
### Known Issues
No known issues
<br/>
</details>
<details>
<summary> April-2020 (Platform: 4.18.2004.6 | Engine: 1.1.17000.2)</summary>
&ensp;Security intelligence update version: **TBD**
&ensp;Security intelligence update version: **1.315.12.0**
&ensp;Released: **April 30, 2020**
&ensp;Platform: **4.18.2004.6**
&ensp;Engine: **1.1.17000.2**

2
windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
View File

@ -62,7 +62,7 @@ In order for devices to properly show up in Update Compliance, you have to meet
If the above prerequisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us.
> [!div class="nextstepaction"]
> [Collect diagnostic data for Update Compliance troubleshooting](collect-diagnostic-data-update-compliance.md)
> [Collect diagnostic data for Update Compliance troubleshooting](collect-diagnostic-data.md)