Forum Discussion

Or Tsemah's avatar
Or Tsemah
Icon for Microsoft rankMicrosoft
Jul 25, 2021

Microsoft Defender for Identity and Npcap

Hi everyone,

Note that starting from MDI version 2.156, we are including the 1.0 OEM version of the Npcap executable in the Sensor deployment package file.

What's new in Microsoft Defender for Identity | Microsoft Docs

So all you have to do is download the new package and extract the file from the ZIP archive.

 

The Microsoft Defender for Identity team is currently recommending that all customers deploy the Npcap driver before deploying the sensor on a domain controller or AD FS server. This will ensure that Npcap driver will be used instead of the WinPcap driver.

 

For more information on MDI and NPCAP, please refer to our FAQ

 

Sensor
updates
  • EliOfek's avatar
    EliOfek
    Aug 26, 2021
    Yes. you might need to plan for a reboot between winpcap and npcap, not sure.
    Also, not that you might need to upgrade .net, as the Gateway worked with 4.6.1. + and the sensor needs 4.7+. and this might also need a reboot, so if you need to, it's best practice to upgrade .net separately from installing the sensor.
  • null null's avatar
    null null
    Copper Contributor
    Jul 30, 2021

    Will the auto-upgrade install the npcap driver or do we need to follow the manual procedures? Additionally is there a deadline to swap out the drivers or will defender for identity continue to support the wincap until a bug is found? 

    • EliOfek's avatar
      EliOfek
      Icon for Microsoft rankMicrosoft
      Jul 30, 2021
      No, we won't change drivers automatically in the foreseen future.
      You will have to manually uninstall the sensor, install npcap, and reinstall the sensor.
      There is no foreseen deadline. winpcap continues to work. We are already aware of a few rare bugs that some customers encounter, and overcoming those bugs are only via this upgrade path. same for potential security issues or support for newer OS's or new patches that at some point might in theory break winpcap.

      The best advise is to plan a migration of existing install base when possible.
      At some point we plan to remove winpcap completely from new install and auto install npcap if it is not installed already.
      • ChrisBrumm's avatar
        ChrisBrumm
        Copper Contributor
        Aug 26, 2021

        Hi EliOfek ,

         

        do we need to deploy Npcap manual for a new deployment or is the current installation package on a clean DC enough?

        What is about migrations from ATA? Do we only have to deinstall the ATA sensor and install the current MDI package?

         

        Thanks in advance

        Chris

Resources