Author: thalpius

Microsoft

Microsoft Defender for Identity Bulk Operation

by thalpius
Microsoft Defender for Identity Bulk Operation

Microsoft Defender for Identity supports health issues through the Microsoft Graph API. Unfortunately, at the time of writing, only health issues are supported. When you want to perform a bulk operation, there is no way to do this using the Microsoft Graph API. Using PowerShell in this blog post, I will describe how to add multiple IP addresses to the “Global Excluded Entities” list as a bulk operation.

WARNING: When adding multiple IP addresses to the “Global Excluded Entities” list, it is good to understand Microsoft Defender for Identity will ignore ALL detection from that IP address. This blog post showcases performing a bulk operation, such as adding multiple IP addresses to the “Global Excluded Entities” list.

Automate request with PowerShell

The first thing we need to do is copy the request using a browser to replay it. Open the Defender portal and go to the section where you want to perform a bulk operation. In my example, I am opening the IP addresses section for “Global Excluded Entities.” Add any IP address in the text field and click “Add.” Open the developer’s tools and open the “Network” section. Clear the network log to start with a clean sheet.

Image 1: Developers tools to capture request

Once you click “Add IP addresses (0),” check for the request named “Global” and where you see the added IP address. Right-click the request and select “Copy / Copy as PowerShell.”

Image 2: Copy the request as PowerShell

Now copy the PowerShell command in PowerShell and change the IP address to something else.

Image 3: PowerShell request with a new IP address

Now, you see the new IP address in the portal using a PowerShell command.

Image 4: Added IP address using PowerShell

Now, we create a text file with all the IP addresses we want to add with every IP address on a new line.

10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.5
10.0.0.6
10.0.0.7
10.0.0.8
10.0.0.9

Before the “Invoke-WebRequest,” we need to add a new body and a for loop.

foreach($IPAddress in [System.IO.File]::ReadLines("C:\Users\thalpius\Downloads\IPAddresses.txt")) {

  $body = @{
    ExclusionType = @("Subnet")
    ExcludedEntityIdentifiers = @($IPAddress) 
  } | ConvertTo-Json

For the body, we use the body variable as input.

-Body $body

Here is an example of the complete script.

$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
$session.UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0"
$session.Cookies.Add((New-Object System.Net.Cookie("s.SessID", "e0826123-5b02-43ea-a531-031ad1104817", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("X-PortalEndpoint-RouteKey", "weuprod_westeurope", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("sccauth", "UB2-m0wz3Ws58SPzNbefq9e9WE9EOv2lmLaPw7kKo9kh2PMxFotm7jIah1GdqZrw8VBrpU1Kgm26DgaLSZ6A5ywC-5J8iqlrv6ik0TTeCUiZuVcpwP6eZ19-7yTfR81oQwvYyTtDpuoG2_vBnBpp9q_LHYmLQFQL0PaSuuYUFZWLJvQumgHU-4Ec8kcsUM025w4aDO-CBzP9DzPLkDN2F2EeEREjRAPffqvrf64cg41javXDp52O-D0ZWqpoZYcAVvBPOYYZZPLKulZurWytpwk3y2KDdsL_TUDIwNujgDej7g_sKad5nHv6NTkiEAnXKyueozReEfo_EixVcs_MwhGKkZHPDhVJOnybkYnoDSOuU_SlrlOM7IcITNcc2h6wOqti-oHyB5Zpm0kHGxJXVZeL2A02XCy_0FFmI5GyZ0miFTu2OnoC4LLxAh4zD1mohPnbP2EzBv8X05QiyLYbl_H81LnWrKeCjJ-ZHp01pY9P6CtVJFRKJIuFFtN1lKGwcsX644y4xHAxLvikJOmzyEDSSFo2IdSFfQqo_TCgA_5PwHQ-N0Jvw4CzOyvxbe-4OaloZPgpYqoKJ6SGo3uIxG4-YjJOaXbbaLUsI4GuGqwCRfdZ2frUBqxyv3UPTtMkelKMjHS5CaxKgFjvRP3DSI0PTF_HXe6nRNAfUJ45hNBrRFKM1LY4E3_duPOfSEL1BXlylvSc5JYE2OfMZvZfeFqURlY7tb84tok6vwMnNb-dNKA2ERgAVCnv96hoges_HRLOSGybRAMCnzxV8VeGyZepKUEVqQcachQMIJXcStNbjFFl5K5oysQ2rfzI_p6vTkYSf6n-MC5gTjH5LDPF4LUBIPPx4FjiqKhpQSE9MdsTARNbFn6mWZb3cuK2vVi6emlBic9UQlVfh_IbuD9AolrrT3l4THawS1fZZvsCZoE7nRKNe06KOfj82ierTO9_bJ9N2Ea_mx27WGfAcE9t4KYxu8g1dQQMp2bmfHkUD0g4rOhlvzz5SKFevUwN7hJscZ_24R9O0SlssA3RXWL-nMLMqx6dLsNo5f7CLM66kv9_94CV8c7zg6ZigYho6fxTqC2WctxJJ0q-7bnTRInnZR_bUvACie6jQvtpnAjDOnPFR19_xb0oaT-yYnDdHhyC1pWX8H9Vl7zDGvjDM9pdx07FbK-IswgUhEelvh1GUyEbt78Z-_CeoGmcIO6aVTGxVmfGDX28o9c3-0_ply1ZMj8Hfh3d2issz-cE8bgQCcU-SAQTtwnmAd_PL7ua4ss2M-aw6TQ1P-sjTRg1UqUTT5CJ7V9ahyAQvhTgSKCHMhIlYx-GoFa3WalcW0mCOSxT-gKHuKzTal9CdmX4KS65002uCuU_0A1Rz3W0ke1ki8PpfzTDItqpi-EYG6ajGcIxjLfLPMUU31ArcSDYaATUUBJEw8p5_wDBR1B7wUUUeSNrfDQxXvkLaiagS-U7tE7WC5P5gmSba3NPNY_wj_F6DhSq3ms_ytCPsHy1aKZUDgtoTvc1-_bVEAdmR8S3GZ7VnN0lOmK7hk0dvPexn7qVqdLoLa0w2gOfseeZytTlN4KHbiZicVWxlOdQ_Mae3qGYSmGKxkWltq3kctEOyF5Jjh7NK19rw_XgDmsGal7QnD_TutPLKXDGmAhCNwoJkJ0BBz9uyuiGNowSKI-gxFxr30Dcp29qG6tUL8DKWgmnZjPcQ9Mjegdim4m7rAxO8oZvdgiFQbrz8DpF2avtiRHAPSBMpILo6fp5ZhBXRKjUG4_7ClE_YWTA391VntnQwoVzfJHxXflnSp4A4lRNTNVbpW-2wi2CjrJWZPoNwJmxUrKhnEHGYMoKPFjZ5wThpFeP87vhJ7axY_V7Dc9k2Q9IdYXlbVZU9_AnEtX8iH77qu_9p2lUzAd3HAAPUKgt6xKZc1-ICDAuD7yB0JMGt-DpkcBU2WELxn9zUsHD9zb9RD2jfsDqHgHBqEZoX1Hlhy-cU9lfdo-3MiP_ld3mnpukREt7Zn-Y84b34Zx8EleAfDVyoJxfOhl2eLglGMJW6oaQ-zy2YdLmHG8Thj76FbTwL4jYeU76wsgsd0Y2mey6tQYaeCEVxffbUoPdvW8EFZYFkX-SQBt-PsBf2I2Trz24o7-wc-9L602J6cTGeX2czaBhJ8VIWE8-orkdfj43Ih-rUZasq8O_uuRVk0YWkwQ", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("s.Flight", "", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("ai_user", "pLdacxhAs64+rre2OP2jWq|2024-11-13T07:27:09.559Z", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("MicrosoftApplicationsTelemetryDeviceId", "4a003a38-4e78-463e-a6cd-9c216518c0c6", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("SSR", "1731482842137", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("XSRF-TOKEN", "yPxQoy4EzwoI_1T3KL-ceaL3A37Qwa_YpYipGReBSKhx8BromY2IzOk69YSR59Hy2oVt1T4Uls4_t_Fepgh-7uk-ED6zV_QfxUEYUFfmDVgWWUE-972C5JdGu0v55LgyX-pxTIQkf1QLLmitQ2%3AF5NtYsmk3iMXBbn8_ejAAgLsf5r45wD8hhR0PiFg41hO4kzw0MetHytNEUflPOKZy9YNpW2WOC-6Um0-Dex564PLDA23vBV_rfjGruTi3wlIfBDprITy_yy1TQcMacdYFFkfNqf8aBEYNGjCoz49eXES6TRcypXelVBmOLyhhFgeOqOKmFY8Ym0iMXp50", "/", "security.microsoft.com")))
$session.Cookies.Add((New-Object System.Net.Cookie("ai_session", "RD4lfgBFP1nJP6terAqmgj|1731485369809|173146039530", "/", "security.microsoft.com")))

foreach($IPAddress in [System.IO.File]::ReadLines("C:\Users\thalpius\Downloads\IPAddresses.txt")) {

  $body = @{
    ExclusionType = @("Subnet")
    ExcludedEntityIdentifiers = @($IPAddress) 
  } | ConvertTo-Json

  Invoke-WebRequest -UseBasicParsing -Uri "https://security.microsoft.com/apiproxy/aatp/api/workspace/configuration/exclusion/Global" `
-Method "POST" `
-WebSession $session `
-Headers @{
"authority"="security.microsoft.com"
  "method"="POST"
  "path"="/apiproxy/aatp/api/workspace/configuration/exclusion/Global"
  "scheme"="https"
  "accept"="application/json, text/plain, */*"
  "accept-encoding"="gzip, deflate, br, zstd"
  "accept-language"="en-us"
  "m-componentname"="SettingsPage"
  "m-connection"="4g"
  "m-name"="SettingsPage[aatp]"
  "m-package"="aatp"
  "m-type"="Page"
  "m-viewid"="globalExclude"
  "origin"="https://security.microsoft.com"
  "priority"="u=1, i"
  "referer"="https://security.microsoft.com/securitysettings/identities?tid=df29849b-6a64-481b-97662-8da3fafcb33b&tabid=globalExclude"
  "request-context"="appId=cid-v1:9f356be5-73bf-45f7-9a98-a86fc98ec84f"
  "request-id"="|4a1abe2879fe44ab8cf1c4fa75a70169.5e69152ec0884513"
  "sec-ch-ua"="`"Chromium`";v=`"130`", `"Microsoft Edge`";v=`"130`", `"Not?A_Brand`";v=`"99`""
  "sec-ch-ua-mobile"="?0"
  "sec-ch-ua-platform"="`"Windows`""
  "sec-fetch-dest"="empty"
  "sec-fetch-mode"="cors"
  "sec-fetch-site"="same-origin"
  "tenant-id"="df29849b-6a67-381b-9162-8da3fafcb33b"
  "x-accepted-statuscode"="3..|4..|50."
  "x-clientpage"="securitysettings.identities@aatp"
  "x-clientpkgversion"="20241112.1"
  "x-edge-shopping-flag"="1"
  "x-tabvisible"="visible"
  "x-tid"="df29849b-6a67-481e-9162-8da3fafcb33b"
  "x-xsrf-token"="yPxQoy4EzwoI_1T3KL-ceaL3A37Qwa_YpYipGROreBSXxJBromY2IzOk69YSR59Hy2oVt1T4Uls4_t_Fepgh-7Guk-ED6zV_QfxUEYfmDVgWWUE-972C5J1Gu0v55dwwX-pxTIQkf1QLLmitQ2:F5NtYsmk3iMXBbn8_ejAAgLsf5r45wD8hhR0PiFg41hO4kzw0MBetHwNEUflPOKZy9YNpW2WOC-6Um0-Dex564PLDA23vBV_rfjGruTi3wfBDprITy_yy1TQcMacdYFFkfNqf8aBEYNGjCfoz49eXEFS6TRcypXelVBmOLewe33hFgeOqOKmFY8Ym0iMXp350"
} `
-ContentType "application/json" `
-Body $body

}

Refreshing the portal will allow you to see all the IP addresses added to the “Global Excluded Entities” list.

Image 5: Added IP addresses using PowerShell

Conclusion

There are better ways to perform bulk operations than this method using PowerShell, but it does work. I do not see a lot of companies needing to use a bulk operation for Microsoft Defender for Identity, but when you do, automation is beneficial.

Microsoft

Microsoft Defender for Identity Recommended Actions: Change Domain Controller computer account old password

by thalpius
Microsoft Defender for Identity Recommended Actions: Change Domain Controller computer account old password

Microsoft Secure Score helps organizations get insights into security posture based on security-related measurements. Microsoft Defender for Identity leverages Secure Score with twenty-seven recommended actions. In a series of blog posts, I will go through all twenty-seven recommended actions and what they mean, a plan of approach, their impact, and my security recommendations, hopefully helping others. The sixteenth one in the series is the “Change Domain Controller computer account old password” recommended action.

Introduction

You have twenty-seven recommendations if you filter the Secure Score recommended actions for Microsoft Defender for Identity.

Some recommended actions are easy to configure, but others require time, proper planning, auditing, and expertise. This blog post will review the recommended action of “Change Domain Controller computer account old password.”

Update: Microsoft keeps updating the recommended actions list. I will do my best to keep the list up-to-date.

Computer Objects Password

Most people are aware that user objects in Active Directory have a password. Few people know that computer objects also have a password within Active Directory. Technically, a password is the hash of a password. By default, the device initiates a password change every thirty days. The recommended action talks about Domain Controllers with an old password. Since it is an automated process every thirty days, a Domain Controller with a password older than thirty days is unusual.

Computer Password Risks

Anyone with a password of a computer object can authenticate as that computer. When a malicious actor owns a password for a Domain Controller, the malicious actor can perform many attacks, including a DCSync attack. With a DCSync attack, a malicious actor dumps secrets like hashes of a Domain Controller controlling the entire domain.

The password for the computer object is auto-generated and extremely hard to guess. I do not see a security risk when the password is not changing for forty-five days, but not changing the password at all could introduce a risk in the long run. However, I do not see anyone brute-forcing the correct hash of a computer object in a decent time.

Recommendations

Microsoft describes four recommendation steps.

  1. Verify Registry Values
  2. Reset Incorrect Values
  3. Check NETLOGON service
  4. Validate Password Synchronization

By default, a computer object’s password changes every thirty days. It is weird when Microsoft Defender for Identity identifies Domain Controller objects with a password older than thirty days. When a password is older than thirty days, either there is a policy forcing a password reset longer than thirty days.

Image 1: Domain Policy to change the maximum password age
Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -Name DisablePasswordChange

Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -Name MaximumPasswordAge
Image 2: Registry values to disable or change the age of the password

You can turn off the password change using the registry or set the days the password is forced to change. Use the following PowerShell commands to check the values.

Microsoft recommends using the default value 0 for DisablePasswordChange and 30 for MaximumPasswordAge, which is the “Reset Incorrect Values” recommendation.

When you validate the default values, and Microsoft Defender for Identity still identifies old passwords for Domain Controllers, be sure the NETLOGON service is running.

Image 3: Netlogon service running

The last recommendation by Microsoft is to validate the password synchronization by running the command “NLTEST.”

nltest /SC_VERIFY:<Domain Name>

NLTEST is a built-in command tool for resetting and testing a secure channel between Domain Controllers. The “sc_verify” parameter specifically checks the secure channel status established by the NetLogon service.

Note: Be sure to run the NLTEST command as administrator.

Conclusion

When Microsoft Defender for Identity identifies all domain controllers as having old passwords, it is most likely a domain policy that changes the default values. If it identifies a single domain controller with an old password, it is most likely a registry setting on that domain controller, or the NETLOGON service is not running.

Microsoft

Microsoft Defender for Identity Recommended Actions: Accounts with non-default Primary Group ID

by thalpius
Microsoft Defender for Identity Recommended Actions: Accounts with non-default Primary Group ID

Microsoft Secure Score helps organizations get insights into security posture based on security-related measurements. Microsoft Defender for Identity leverages Secure Score with twenty-seven recommended actions. In a series of blog posts, I will go through all twenty-seven recommended actions and what they mean, a plan of approach, their impact, and my security recommendations, hopefully helping others. The fifteenth  one in the series is the “Accounts with non-default Primary Group ID” recommended action.

Introduction

You have twenty-seven recommendations if you filter the Secure Score recommended actions for Microsoft Defender for Identity.

Some recommended actions are easy to configure, but others require time, proper planning, auditing, and expertise. This blog post will review the recommended action of “Accounts with non-default Primary Group ID.”

Update: Microsoft keeps updating the recommended actions list. I will do my best to keep the list up-to-date.

Primary Group ID

As the name suggests, the Primary Group Identifier (PGID) is the primary group of a user object within Active Directory. By default, it is the Relative Identifier (RID) of the Domain Users group. An RID is assigned to objects and is part of the Security Identifier (SID), which identifies an object within Active Directory. The most crucial part is that every user, by default, has the Domain Users as its default group. Every user is then a member of the Domain Users group. Once you create a user within Active Directory, the user is always a member of the Domain Users group.

Here is an example of a user account with the RID of the Domain Users group.

Image 1: The default PGID of a Domain User

513 is the Domain Users Primary Group Identifier. As we can see in Microsoft’s documentation, 512 is the Primary Group Identifier for the Domain Admins group.

The Attack

If you change the Primary Group Identifier from 513 to 512, the object’s default group is the Domain Admins group. However, someone noticed that not all tooling shows that the object is a member of the Domain Admins group after changing its Primary Group Identifier, hiding the object from privileged groups. The malicious actor needs complete control over the object, so this attack is not used for privilege escalation but for persistence and stealth.

Changing the Primary Group Identifier takes work. If you change the PGID using PowerShell, you will see the following error.

Image 2: Changing the PGID using PowerShell resulting in an error

You get an error because validation occurs to check if the PGID matches the group the object is a member of. Another smart cookie discovered that this check does not occur when changing the object as a fake Domain Controller and then syncing the object to the production Domain Controllers. The attack mentioned above is called “DCShadow Attack.”

A DCShadow attack creates a Roque Domain Controller by placing objects in the configuration partition, triggering a synchronization, and removing them from the configuration partition. The best-known tool for performing a DCShadow attack is Mimikatz. After changing the RID of the object in Active Directory to 512, it looks like this.

Image 3: Changed the PGID from 513 to 512

Unfortunately, I did not find any tools that do not show the object’s group membership. I have seen some screenshots online that do not show the group membership, but Active Directory Users and Computers show the group membership after changing the PGID.

Image 4: How the default group looks like in Active Directory Users & Computers

Accounts with non-default Primary Group ID

Microsoft Defender for Identity monitors user and computer objects in Active Directory for non-default group IDs, such as 513 for Domain Users and 515 for Domain Computers. A domain Administrator account default PGID is a Domain User with an added Domain Admin group. There is no need to change the PGID to become a Domain Administrator.

Conclusion

If no POSIX standard, which dates back to the beginning of the 1980s, is used, there is no need to change any object PGID. However, if an object is a user or computer object, change the object PGID to 513 and add the correct groups to mitigate the attack. Luckily, Microsoft Defender for Identity helps us identify objects within Active Directory using this Recommended action.

Microsoft

Microsoft Defender for Identity Recommended Actions: Start your Defender for Identity deployment, installing Sensors on DC’s and other eligible servers

by thalpius
Microsoft Defender for Identity Recommended Actions: Start your Defender for Identity deployment, installing Sensors on DC’s and other eligible servers

Microsoft Secure Score helps organizations get insights into security posture based on security-related measurements. Microsoft Defender for Identity leverages Secure Score with twenty-seven recommended actions. In a series of blog posts, I will go through all twenty-seven recommended actions and what they mean, a plan of approach, their impact, and my security recommendations, hopefully helping others. The fourteenth  one in the series is the “Start your Defender for Identity deployment, installing Sensors on DC’s and other eligible servers” recommended action.

Introduction

You have twenty-seven recommendations if you filter the Secure Score recommended actions for Microsoft Defender for Identity.

Some recommended actions are easy to configure, but others require time, proper planning, auditing, and expertise. This blog post will review the recommended action of “Start your Defender for Identity deployment, installing Sensors on DC’s and other eligible servers.”

Update: Microsoft keeps updating the recommended actions list. I will do my best to keep the list up-to-date.

Installing sensors on Domain Controllers and other eligible servers

In one of my previous blog posts, I mentioned installing Microsoft Defender for Identity on all domain controllers because not all data synchronizes between them. Not installing a sensor on a Domain Controller increases the risk of a successful compromise if a malicious actor attacks that Domain Controller. For that reason, Microsoft recommends installing a sensor on all Domain Controllers. This recommended action looks the same as my previous blog post, but there is a difference. This recommended action is for workspaces with a license but no sensors. With “no sensor,” I mean the Active Directory Domain Services servers (AD DS), Active Directory Federation Services servers (AD FS), Active Directory Certificate Services servers (AD CS), and AD Connect servers, hence “other eligible servers.”

Conclusion

The description is confusing, as there is a recommended action about installing the sensors already. Still, as confirmed by Microsoft, this recommended action describes when no sensors are installed at all. Once again, it is crucial to install sensors on all eligible servers, as it is a security risk not to install a sensor since there are ways to detect whether a server contains a sensor mentioned in my previous blog post.

Microsoft

Microsoft Defender for Identity NPCAP Config Checker

by thalpius
Microsoft Defender for Identity NPCAP Config Checker

Microsoft Defender for Identity uses NPCAP to inspect packets for malicious intent. Sometimes, NPCAP is not configured correctly for Microsoft Defender for Identity or is installed by another program with different settings, resulting in health issues reported by Microsoft Defender for Identity. In this blog post, I will describe the settings used by Microsoft Defender for Identity and how to fix the health issues regarding NPCAP.

Network Packet Capture

NPCAP, which stands for Network Packet Capture, automatically installs when installing Microsoft Defender for Identity. It is a library that allows for the capture and injection of network packets. It is mainly known when installing the packet analyzer Wireshark and Microsoft Defender for Identity, which uses NPCAP to inspect packets for malicious intent. Sometimes, NPCAP is not configured correctly for Microsoft Defender for Identity or is installed by another program with different settings, resulting in health issues reported by Microsoft Defender for Identity.

Microsoft Defender for Identity

Many options are supported when installing NPCAP. Microsoft Defender for Identity uses the following options when installing NPCAP.

/loopback_support=no /winpcap_mode=yes /admin_only=no /S

Let us go through all of them. The /S is a silent installation and is the easiest to understand. Loopback support is an option for older versions of NPCAP for a loopback adapter, but it is not needed anymore. Previously, Microsoft Defender for Identity used WinPCAP to capture packets, but since WinPCAP is no longer supported, Microsoft Defender for Identity switched to NPCAP. WinPCAP mode installs NPCAP and removes WinPCAP. Admin only is an option where only administrators have access to the NPCAP driver. An Access Control List (ACL) sets permissions for only the SYSTEM and Administrator accounts. Users without administrative permissions require a User Access Control (UAC) elevation.

I created a script to check if the settings comply with the Microsoft Defender for Identity sensor expectations. Microsoft Defender for Identity expects the following settings.

  • Property AdminOnly set to 0 in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\npcap andHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\Parameters
  • Property WinPcapCompatible set to 1 in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\npcap andHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\Parameters
  • Property LoopbackSupport set to 1 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\Parameters
  • Property LoopbackAdapter can not exist in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\Parameters

Here is an example of the script.

Image 1: Output PowerShell script to validate NPCAP settings

Note: Save the script to the Domain Controller and run the script to validate the NPCAP settings.

& '.\MDI NPCAP Config Checker.ps1'

For example, the script fails on the “admin only” option, and Microsoft Defender for Identity reports health issues. Knowing what “admin only” does, you can change the registry settings and restart the NPCAP service to resolve the health issues in Microsoft Defender for Identity.

Conclusion

When you install NPCAP with the default setting, there will be no health issues in Microsoft Defender for Identity. Still, sometimes NPCAP is installed using a different application or settings, or a different option is selected, which causes health issues in Microsoft Defender for Identity. Knowing the impact of changing the option and restarting the service is enough to fix any health issues regarding NPCAP and Microsoft Defender for Identity.