In July 2021 Microsoft announced that starting with MDI version 2.156 they included the OEM version of the Npcap executable in the Sensor deployment package. The reason for doing so is because WinPcap is no longer supported and since it’s no longer being developed, the driver cannot be optimized any longer for the Defender for Identity sensor. Additionally, if there is an issue in the future with the WinPcap driver, there are no options for a fix. More details can be found here.
Since version 2.184 released on July 10th 2022 the Defender for Identity installation package will now install the Npcap component instead of the WinPcap drivers.
Although the MDI Sensor does update itself, you will need to plan for this change and act yourself. If you haven’t installed the Npcap driver already, you will notice that within the Microsoft Defender for Identity portal, sensors that use WinPcap show up as ‘Not healthy’.
When opening the status page, you’ll see the following information.
You can use this advanced hunting query to get a quick overview of your domain controllers that have the WinPcap driver installed.
Okay, now that you have identified the domain controllers that require an update, here’s what you need to do after you have received an internal approval for the change.
If you already installed the sensor with WinPcap and need to update to use Npcap:
- Uninstall the sensor.
Lesson learned: when trying to uninstall via the Apps and Features UI on Windows Server 2019, I couldn’t run the install, you really need to open the appwiz.cpl UI.
- Uninstall WinPcap.
- Reinstall the sensor (with an installation package of version 2.184 or greater). This will also install the Npcap driver package. You can download the latest Sensor installation package from the MDI portal.
Once the Sensor is installed, the Sensor will show up as healthy within the Defender for Identity portal.
For other scenarios see: How do I download and install or upgrade the Npcap driver?
Have a great day