Microsoft Defender for Identity uses NPCAP to inspect packets for malicious intent. Sometimes, NPCAP is not configured correctly for Microsoft Defender for Identity or is installed by another program with different settings, resulting in health issues reported by Microsoft Defender for Identity. In this blog post, I will describe the settings used by Microsoft Defender for Identity and how to fix the health issues regarding NPCAP.
Network Packet Capture
NPCAP, which stands for Network Packet Capture, automatically installs when installing Microsoft Defender for Identity. It is a library that allows for the capture and injection of network packets. It is mainly known when installing the packet analyzer Wireshark and Microsoft Defender for Identity, which uses NPCAP to inspect packets for malicious intent. Sometimes, NPCAP is not configured correctly for Microsoft Defender for Identity or is installed by another program with different settings, resulting in health issues reported by Microsoft Defender for Identity.
Microsoft Defender for Identity
Many options are supported when installing NPCAP. Microsoft Defender for Identity uses the following options when installing NPCAP.
/loopback_support=no /winpcap_mode=yes /admin_only=no /SLet us go through all of them. The /S is a silent installation and is the easiest to understand. Loopback support is an option for older versions of NPCAP for a loopback adapter, but it is not needed anymore. Previously, Microsoft Defender for Identity used WinPCAP to capture packets, but since WinPCAP is no longer supported, Microsoft Defender for Identity switched to NPCAP. WinPCAP mode installs NPCAP and removes WinPCAP. Admin only is an option where only administrators have access to the NPCAP driver. An Access Control List (ACL) sets permissions for only the SYSTEM and Administrator accounts. Users without administrative permissions require a User Access Control (UAC) elevation.
I created a script to check if the settings comply with the Microsoft Defender for Identity sensor expectations. Microsoft Defender for Identity expects the following settings.
- Property AdminOnly set to 0 in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\npcap andHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\Parameters
- Property WinPcapCompatible set to 1 in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\npcap andHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\Parameters
- Property LoopbackSupport set to 1 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\Parameters
- Property LoopbackAdapter can not exist in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\Parameters
Here is an example of the script.
Note: Save the script to the Domain Controller and run the script to validate the NPCAP settings.
& '.\MDI NPCAP Config Checker.ps1'For example, the script fails on the “admin only” option, and Microsoft Defender for Identity reports health issues. Knowing what “admin only” does, you can change the registry settings and restart the NPCAP service to resolve the health issues in Microsoft Defender for Identity.
Conclusion
When you install NPCAP with the default setting, there will be no health issues in Microsoft Defender for Identity. Still, sometimes NPCAP is installed using a different application or settings, or a different option is selected, which causes health issues in Microsoft Defender for Identity. Knowing the impact of changing the option and restarting the service is enough to fix any health issues regarding NPCAP and Microsoft Defender for Identity.
Microsoft Security Blog 