Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

MDE Analyzer won't run on Server 2012 R2

Copper Contributor

WMDCC1CSM11 - MDE Analyser not running

 


Starting Microsoft Defender for Endpoint analyzer process...

Testing for administrative privileges
Script is running with sufficient privileges

MDEClientAnalyzer EULA Accepted
Exception calling "Create" with "1" argument(s): "This implementation is not
part of the Windows Platform FIPS validated cryptographic algorithms."
At C:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Util
ity\Microsoft.PowerShell.Utility.psm1:22 char:9
+ $hasher =
[System.Security.Cryptography.HashAlgorithm]::Create($Algorith ...
+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : InvalidOperationException

Get-FileHash : The file 'C:\temp\MDEClientAnalyzer\Tools\Events.json' cannot
be read: You cannot call a method on a null-valued expression.
At C:\temp\MDEClientAnalyzer\MDEClientAnalyzer.ps1:1892 char:15
+ $fileHash = Get-FileHash -Path $filePath
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ReadError: (C:\temp\MDEClie...ols\Events.json:PS
Object) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : FileReadError,Get-FileHash

CheckHashFile : Script execution terminated because hash did not match
expected value. Expected value:
5AC7B7940F27721B3BDA48493CB388DC6BC8C9B0D024D6135FC91CB840B3C20D
At C:\temp\MDEClientAnalyzer\MDEClientAnalyzer.ps1:2410 char:1
+ CheckHashFile "$ResourcesJson"
"5AC7B7940F27721B3BDA48493CB388DC6BC8C9B0D024D613 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorExcep
tion
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio
n,CheckHashFile

2 Replies
Please download the latest client analyzer tool and make sure you are following the steps mentioned in below link.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-analyzer-windows?view...
The issue is likely happening because of old PowerShell dependencies that are built-in to the old OS.
I suggest you try to upgrade to WMF 5.1 which will also upgrade the problematic PowerShell components - https://www.microsoft.com/en-us/download/details.aspx?id=54616&lc=1033

Note: It may still throw a few errors on Windows Server 2012R2 even with WMF 5.1 is installed, but its main functionality should work, and it should produce a valid result file.