Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Is it mandatory to install Npcap before installing Azure ATP sensor ?

Copper Contributor

 Hello,

Planning to install Azure ATP sensor on few production DC's most of them are Windows 2016 standard core and hosted on Hyper-v and Vmware. Considering all other prerequisites Just wanted to confirm if its mandatory to install Npcap on virtual machine before installing ATP sensor.
If yes, do we have any steps to install npcap and ATP sensor on Windows core server.

8 Replies
It is recommended to do so yes, or else for now it will still deploy winpcap, which is not recommended. you should be able to use the provided npcap installer in silent mode in server core without issues. same parameters as in the docs.
https://docs.microsoft.com/en-us/defender-for-identity/technical-faq#how-do-i-download-and-install-t...
Thank you Eli,
So what will be the latest Compatible working Npcap version, is it 0.996?
And as per my understanding we need to first install Npcap, regardless the server is physical or virtual and then install ATP sensor for successful and better performance without issues in future.
1.00 oem which is bundled in the latest zip package. Don't use anything else for now.
Hi Eli,
You mean to say its part of "Microsoft Defender for Identity sensor setup package".
If yes , then just to make sure Winpcap is not deployed during this installation, Hence I want to install Npcap before installing that MDI setup package. In order to do so, can I use below link to download and install Npcap.
https://nmap.org/npcap/dist/npcap-1.00.exe
If you pre install npcap, winpcap will be skipped, and no, please don't use that url.
When you download the sensor zip package from the mdi portal, you will get a subfolder in the zip that contains an OEM version of the driver, make sure to use that one as it supports silent installation which should work better for core. deploy it, then deploy the sensor, and you should be fine.

Hi ELi,
I have installed ATP sensor on one of the core DC server windows 2016.
I see both the services however one of the service (AATPSensor )is not starting the other service (AATPsensorupdater) is running fine. Please find the Microsoft.Tri.Sensor-Errors logs below.
Can you please advise what can be done to fix this.

Logs:
2021-12-03 16:25:15.4010 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDomainNetworkCredentialsManager domainNetworkCredentialsManager, IRemoteImpersonationManager remoteImpersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
2021-12-03 16:25:34.0939 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__39 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=xxxx.xxx.com]
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
2021-12-03 16:25:34.1251 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDomainNetworkCredentialsManager domainNetworkCredentialsManager, IRemoteImpersonationManager remoteImpersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)

Check the full log, not only the errors log to get hints on why it fails to connect to the domain controller.