Contents

Defender for Identity, Npcap on Windows Server 2022

Microsoft Defender for Identity is a very useful tool for gaining deep insight into an Active Directory environment. The agents installed on each domain controller collect information directly from the server’s network traffic and forward it to Microsoft Defender.

For this analysis, the agent uses the WinPcap driver by default. This leads to the following error message on a Windows Server 2022 even under moderate load:

/en/defender-identity-npcap-windows-server-2022/images/Preview.png

However, the CPU, RAM and network load of the affected domain controller is not particularly high.

/en/defender-identity-npcap-windows-server-2022/images/Performance.png

The cause here is the outdated WinPcap driver. It has not been updated since 2013 and official development has been discontinued. The last officially supported operating system version was Windows Server 2012.

With Agent version 2.156, Microsoft now offers the Npcap driver as a replacement for WinPcap.

This driver is under active development and based on a libpcap version from 2021 and not 2008.

For this purpose, Microsoft has signed a license agreement that allows the use of the OEM version and thus the limit of 5 installations does not apply. Another advantage of the OEM version is that it can be silently installed via script.

Note
Microsoft itself recommends using Npcap with Defender for Identity.

Using Npcap with Defender for Identity

For Defender for Identity to use the new driver, it must be installed before installing the agent. Otherwise the agent will install the old WinPcap driver automatically.

Download

The first step is to download the new agent package.

/en/defender-identity-npcap-windows-server-2022/images/DownloadAgent.png

The new Azure ATP Sensor Setup.zip file contains two seperate setup files. Azure ATP Sensor Setup.exe and Npcap-1.00-oem.exe.

/en/defender-identity-npcap-windows-server-2022/images/DefenderZip.png

Uninstall

If the agent is already installed, the new version including the new driver can be installed without restarting the server. However, the current agent must be uninstalled first.

/en/defender-identity-npcap-windows-server-2022/images/WinPCAP.png

# Remove Current sensor version
$RemoveATPSensor = Get-ChildItem "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\" | Get-ItemProperty | Where-Object { $_.DisplayName -eq "Azure Advanced Threat Protection Sensor" } | Select-Object -ExpandProperty BundleCachePath
Start-Process -Wait -NoNewWindow -FilePath $RemoveATPSensor -ArgumentList "/uninstall /quiet"

It is important that the agent and WinPcap are removed after the uninstallation. If WinPcap is still installed, it must be uninstalled manually.

/en/defender-identity-npcap-windows-server-2022/images/NotInstalled.png

Installation

During the installation, the Npcap driver must be installed first. We enable the WinPcap compatible mode and disable loopback support.

After that, Defender for Identity Agent can be installed as usual.

# Install Npcap with WinPcap Mode activated and loopback support disabled
Start-Process -Wait -NoNewWindow -FilePath ".\Npcap\npcap-1.00-oem.exe" -ArgumentList "/S /winpcap_mode=yes /loopback_support=no"
# Install Microsoft Defender for Identity Agent
Start-Process -Wait -NoNewWindow -FilePath ".\Azure ATP Sensor Setup.exe" -ArgumentList '/quiet NetFrameworkCommandLineArguments="/q" AccessKey="YOURACCESSKEYHERE" ProxyUrl="http://PROXYURL"'

/en/defender-identity-npcap-windows-server-2022/images/NPCAP.png

After switching to the Npcap driver, the error message shown above no longer occurred. The performance improvements promised by Microsoft are therefore really present.