title: Troubleshoot Microsoft Defender for Endpoint live response issues description: Troubleshoot issues that might arise when using live response in Microsoft Defender for Endpoint. ms.service: defender-endpoint ms.author: chrisda author: chrisda ms.localizationpriority: medium manager: bagol audience: ITPro ms.collection:
- m365-security
- tier3
- mde-edr
ms.topic: troubleshooting
ms.subservice: edr
search.appverid: met150
ms.date: 03/26/2025
appliesto:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
This page provides detailed steps to troubleshoot live response issues.
If while trying to take an action during a live response session, you encounter an error message stating that the file can't be accessed, take the following steps to address the issue.
-
Copy the following script code snippet and save it as a PS1 file:
$copied_file_path=$args[0] $action=Copy-Item $copied_file_path -Destination $env:TEMP -PassThru -ErrorAction silentlyContinue if ($action){ Write-Host "You copied the file specified in $copied_file_path to $env:TEMP Successfully" } else{ Write-Output "Error occurred while trying to copy a file, details:" Write-Output $error[0].exception.message }
-
Add the script to the live response library.
-
Run the script with one parameter: the file path of the file to be copied.
-
Navigate to your TEMP folder.
-
Run the action you wanted to take on the copied file.
Live response uses Defender for Endpoint sensor registration with WNS service in Windows. If you're having connectivity issues with live response, confirm the following details:
-
WpnService (Windows Push Notifications System Service) isn't disabled.
-
WpnService connectivity with WNS cloud isn't disabled via group policy or MDM setting. 'Turn off notifications network usage' shouldn't be set to
1.
Refer to the following articles to fully understand the WpnService service behavior and requirements: