Rediger

Del via


Install a Microsoft Defender for Identity sensor

This article describes how to install a Microsoft Defender for Identity sensor, including a standalone sensor. The default recommendation is to use the UI. However:

Prerequisites

Before you start, make sure that you have:

Install the sensor by using the UI

Perform the following steps on the domain controller, Active Directory Federation Services (AD FS) server, or Active Directory Certificate Services (AD CS) server.

  1. Verify that the machine has connectivity to the relevant Defender for Identity cloud service endpoints.

  2. Extract the installation files from the .zip file. Installing directly from the .zip file fails.

  3. Run Azure ATP sensor setup.exe with elevated privileges (Run as administrator) and follow the setup wizard.

  4. On the Welcome page, select your language and then select Next.

    Screenshot that shows selection of the Defender for Identity standalone sensor installation language.

    The installation wizard automatically checks if the server is a domain controller, an AD FS server, an AD CS server, or a dedicated server. The server type determines the sensor type:

    • If the server is a domain controller, AD FS server, or AD CS server, the Defender for Identity sensor is installed.
    • If the server is dedicated, the Defender for Identity standalone sensor is installed.

    For example, the wizard displays the following page to indicate that a Defender for Identity sensor is installed on domain controllers.

    Screenshot of the page that identifies the sensor deployment type.

  5. Select Next.

    The wizard issues a warning if the domain controller, AD FS server, AD CS server, or dedicated server doesn't meet the minimum hardware requirements for the installation.

    The warning doesn't prevent you from selecting Next and proceeding with the installation, which might still be the right option. For example, you need less room for data storage when you're installing a small lab test environment.

    For production environments, we highly recommend working with the Defender for Identity sizing tool to make sure your domain controllers or dedicated servers meet the capacity requirements.

  6. On the Configure the sensor page, enter the following information for the setup package:

    • Installation path: The location where the Defender for Identity sensor is installed. By default, the path is %programfiles%\Azure Advanced Threat Protection sensor. Leave the default value.
    • Access key: Retrieved from the Microsoft Defender portal in a previous step.

    Screenshot of the wizard page for Defender for Identity sensor configuration.

  7. Select Install. The following components are installed and configured during the installation of the Defender for Identity sensor:

    • Defender for Identity sensor service and Defender for Identity sensor updater service

    • Npcap OEM version 1.0

      Important

      Npcap OEM version 1.0 is automatically installed if no other version of Npcap is present. If you already have Npcap installed due to other software requirements or for any other reason, ensure that it's version 1.0 or later and that it has the required settings for Defender for Identity.

Viewing sensor versions

Beginning with sensor version 2.176, when you're installing the sensor from a new package, the version under Add/Remove Programs appears with the full number, such as 2.176.x.y. Previously, the version appeared as the static 2.0.0.0.

The installed version continues to appear even after the Defender for Identity cloud services run automatic updates.

View the sensor's real version on the Microsoft Defender XDR sensor settings page, in the executable path or in the file version.

Perform a Defender for Identity silent installation

The Defender for Identity silent installation for sensors is configured to automatically restart the server at the end of the installation, if necessary.

Schedule a silent installation only during a maintenance window. Because of a Windows Installer bug, you can't reliably use the norestart flag to make sure the server doesn't restart.

To track your deployment progress, monitor the Defender for Identity installer logs in %localappdata%\Temp.

Silent installation via a deployment system

When you're silently deploying a Defender for Identity sensor via System Center Configuration Manager or another software deployment system, we recommend that you create two deployment packages:

  • .NET Framework 4.7 or later, which might include restarting the domain controller
  • The Defender for Identity sensor

Make the Defender for Identity sensor package dependent on the deployment of the .NET Framework package deployment. If necessary, get the .NET Framework 4.7 offline deployment package.

Commands for running a silent installation

Use the following commands to perform a fully silent installation of the Defender for Identity sensor, by using the access key that you copied in a previous step.

cmd.exe syntax

"Azure ATP sensor Setup.exe" /quiet NetFrameworkCommandLineArguments="/q" AccessKey="<Access Key>"

PowerShell syntax

.\"Azure ATP sensor Setup.exe" /quiet NetFrameworkCommandLineArguments="/q" AccessKey="<Access Key>"

Note

When you're using the PowerShell syntax, omitting the .\ preface results in an error that prevents silent installation.

Installation options

Name Syntax Mandatory for silent installation? Description
Quiet /quiet Yes Runs the installer without displaying UI or prompts.
Help /help No Provides help and quick reference. Displays the correct use of the setup command, including a list of all options and behaviors.
NetFrameworkCommandLineArguments="/q" NetFrameworkCommandLineArguments="/q" Yes Specifies the parameters for the .NET Framework installation. Must be set to enforce the silent installation of .NET Framework.

Installation parameters

Name Syntax Mandatory for silent installation? Description
InstallationPath InstallationPath="" No Sets the path for the installation of Defender for Identity sensor binaries. Default path: %programfiles%\Azure Advanced Threat Protection Sensor.
AccessKey AccessKey="\*\*" Yes Sets the access key that's used to register the Defender for Identity sensor with the Defender for Identity workspace.
AccessKeyFile AccessKeyFile="" No Sets the workspace access key from the provided text file path.
DelayedUpdate DelayedUpdate=true No Sets the sensor's update mechanism to delay the update for 72 hours from the official release of each service update. For more information, see Delayed sensor update.
LogsPath LogsPath="" No Sets the path for the Defender for Identity sensor logs. Default path: %programfiles%\Azure Advanced Threat Protection Sensor.

Examples

Use the following commands to silently install the Defender for Identity sensor:

"Azure ATP sensor Setup.exe" /quiet NetFrameworkCommandLineArguments="/q" AccessKey="<access key value>"
"Azure ATP sensor Setup.exe" /quiet NetFrameworkCommandLineArguments="/q" AccessKeyFile="C:\Path\myAccessKeyFile.txt"

Command for running a silent installation with a proxy configuration

Use the following command to configure your proxy together with a silent installation:

"Azure ATP sensor Setup.exe" [/quiet] [/Help] [ProxyUrl="http://proxy.internal.com"] [ProxyUserName="domain\proxyuser"] [ProxyUserPassword="ProxyPassword"]`

Note

If you previously configured your proxy by using legacy options, including WinINet or a registry key update, you need to make any changes with the same method that you used originally. For more information, see Change proxy configuration using legacy methods.

Installation parameters

Name Syntax Mandatory for silent installation? Description
ProxyUrl ProxyUrl="http://proxy.contoso.com:8080" No Specifies the proxy URL and port number for the Defender for Identity sensor.
ProxyUserName ProxyUserName="Contoso\ProxyUser" No If your proxy service requires authentication, define a username in the DOMAIN\user format.
ProxyUserPassword ProxyUserPassword="P@ssw0rd" No Specifies the password for your proxy username.

The Defender for Identity sensor encrypts credentials and stores them locally.

Tip

If you need to update your proxy settings later on, use PowerShell or the Azure CLI. For more information, see Configure endpoint proxy and internet connectivity settings. We recommend that you create and use a custom DNS A record for the proxy server. You can then use that record to change the proxy server's address when necessary and use the hosts file for testing.

After you install a sensor, you can follow extra steps:

Next step