SOLVED

Microsoft Defender for Identity and Npcap

%3CLINGO-SUB%20id%3D%22lingo-sub-2584151%22%20slang%3D%22en-US%22%3EMicrosoft%20Defender%20for%20Identity%20and%20Npcap%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2584151%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3C%2FP%3E%0A%3CP%3ENote%20that%20starting%20from%20MDI%20version%202.156%2C%20we%20are%20including%20the%201.0%20OEM%20version%20of%20the%20Npcap%20executable%20in%20the%20Sensor%20deployment%20package%20file.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Fwhats-new%23defender-for-identity-release-2156%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWhat's%20new%20in%20Microsoft%20Defender%20for%20Identity%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3ESo%20all%20you%20have%20to%20do%20is%20download%20the%20new%20package%20and%20extract%20the%20file%20from%20the%20ZIP%20archive.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Microsoft%20Defender%20for%20Identity%20team%20is%20currently%20recommending%20that%20all%20customers%20deploy%20the%20Npcap%20driver%20before%20deploying%20the%20sensor%20on%20a%20domain%20controller%20or%20AD%20FS%20server.%20This%20will%20ensure%20that%20Npcap%20driver%20will%20be%20used%20instead%20of%20the%20WinPcap%20driver.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20more%20information%20on%20MDI%20and%20NPCAP%2C%20please%20refer%20to%20our%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Ftechnical-faq%23winpcap-and-npcap-drivers%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EFAQ%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2584151%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ENPCAP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2596221%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Defender%20for%20Identity%20and%20Npcap%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2596221%22%20slang%3D%22en-US%22%3E%3CP%3EWill%20the%20auto-upgrade%20install%20the%20npcap%20driver%20or%20do%20we%20need%20to%20follow%20the%20manual%20procedures%3F%20Additionally%20is%20there%20a%20deadline%20to%20swap%20out%20the%20drivers%20or%20will%20defender%20for%20identity%20continue%20to%20support%20the%20wincap%20until%20a%20bug%20is%20found%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2596581%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Defender%20for%20Identity%20and%20Npcap%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2596581%22%20slang%3D%22en-US%22%3ENo%2C%20we%20won't%20change%20drivers%20automatically%20in%20the%20foreseen%20future.%3CBR%20%2F%3EYou%20will%20have%20to%20manually%20uninstall%20the%20sensor%2C%20install%20npcap%2C%20and%20reinstall%20the%20sensor.%3CBR%20%2F%3EThere%20is%20no%20foreseen%20deadline.%20winpcap%20continues%20to%20work.%20We%20are%20already%20aware%20of%20a%20few%20rare%20bugs%20that%20some%20customers%20encounter%2C%20and%20overcoming%20those%20bugs%20are%20only%20via%20this%20upgrade%20path.%20same%20for%20potential%20security%20issues%20or%20support%20for%20newer%20OS's%20or%20new%20patches%20that%20at%20some%20point%20might%20in%20theory%20break%20winpcap.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20best%20advise%20is%20to%20plan%20a%20migration%20of%20existing%20install%20base%20when%20possible.%20%3CBR%20%2F%3EAt%20some%20point%20we%20plan%20to%20remove%20winpcap%20completely%20from%20new%20install%20and%20auto%20install%20npcap%20if%20it%20is%20not%20installed%20already.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2686623%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Defender%20for%20Identity%20and%20Npcap%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2686623%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Edo%20we%20need%20to%20deploy%20Npcap%20manual%20for%20a%20new%20deployment%20or%20is%20the%20current%20installation%20package%20on%20a%20clean%20DC%20enough%3F%3C%2FP%3E%3CP%3EWhat%20is%20about%20migrations%20from%20ATA%3F%20Do%20we%20only%20have%20to%20deinstall%20the%20ATA%20sensor%20and%20install%20the%20current%20MDI%20package%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%3C%2FP%3E%3CP%3EChris%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2686693%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Defender%20for%20Identity%20and%20Npcap%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2686693%22%20slang%3D%22en-US%22%3EYou%20need%20to%20install%20npcap%20manually%20which%20now%20comes%20with%20the%20zip.%20it's%20not%20auto%20installing%20YET.%3CBR%20%2F%3E%3CBR%20%2F%3Ethe%20ATA%20gateway%20needs%20to%20be%20removed%20before%20deploying%20MDI%20sensor%20or%20else%20they%20will%20collide%20and%20cause%20some%20unexpected%20behaivour.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2686769%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Defender%20for%20Identity%20and%20Npcap%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2686769%22%20slang%3D%22en-US%22%3EThanks%20for%20the%20quick%20reply.%20%3Afolded_hands%3A%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20my%20order%20is%3A%3CBR%20%2F%3E1.%20Deinstall%20ATA%20Agent%3CBR%20%2F%3E2.%20Deinstall%20WinPcap%20(if%20installed)%3CBR%20%2F%3E3.%20Install%20NPcap%3CBR%20%2F%3E4.%20Install%20MDI%20Agent%3CBR%20%2F%3E%3CBR%20%2F%3ECorrect%3F%3C%2FLINGO-BODY%3E
Microsoft

Hi everyone,

Note that starting from MDI version 2.156, we are including the 1.0 OEM version of the Npcap executable in the Sensor deployment package file.

What's new in Microsoft Defender for Identity | Microsoft Docs

So all you have to do is download the new package and extract the file from the ZIP archive.

 

The Microsoft Defender for Identity team is currently recommending that all customers deploy the Npcap driver before deploying the sensor on a domain controller or AD FS server. This will ensure that Npcap driver will be used instead of the WinPcap driver.

 

For more information on MDI and NPCAP, please refer to our FAQ

 

9 Replies

Will the auto-upgrade install the npcap driver or do we need to follow the manual procedures? Additionally is there a deadline to swap out the drivers or will defender for identity continue to support the wincap until a bug is found? 

No, we won't change drivers automatically in the foreseen future.
You will have to manually uninstall the sensor, install npcap, and reinstall the sensor.
There is no foreseen deadline. winpcap continues to work. We are already aware of a few rare bugs that some customers encounter, and overcoming those bugs are only via this upgrade path. same for potential security issues or support for newer OS's or new patches that at some point might in theory break winpcap.

The best advise is to plan a migration of existing install base when possible.
At some point we plan to remove winpcap completely from new install and auto install npcap if it is not installed already.

Hi @Eli Ofek ,

 

do we need to deploy Npcap manual for a new deployment or is the current installation package on a clean DC enough?

What is about migrations from ATA? Do we only have to deinstall the ATA sensor and install the current MDI package?

 

Thanks in advance

Chris

You need to install npcap manually which now comes with the zip. it's not auto installing YET.

the ATA gateway needs to be removed before deploying MDI sensor or else they will collide and cause some unexpected behaivour.
Thanks for the quick reply. :folded_hands:

So my order is:
1. Deinstall ATA Agent
2. Deinstall WinPcap (if installed)
3. Install NPcap
4. Install MDI Agent

Correct?
best response confirmed by Ricky Simpson (Microsoft)
Solution
Yes. you might need to plan for a reboot between winpcap and npcap, not sure.
Also, not that you might need to upgrade .net, as the Gateway worked with 4.6.1. + and the sensor needs 4.7+. and this might also need a reboot, so if you need to, it's best practice to upgrade .net separately from installing the sensor.

Will Npcap work in Admin-only mode with Defender for Identity? Is there any documentation on securing this to only work with Defender for Identity on AD and ADFS servers?

No, please use the exact install parameters in the docs.
Admin only mode will fail and might even cause hangs.
We just learned that a reboot after deinstalling the ATA agent is needed to allow the MDI installation. We had no winpcap installed and .Net was already >4.7 so I can't comment if there are additional reboots needed.