Update Microsoft Defender for Identity sensors

Keeping your Microsoft Defender for Identity sensors up-to-date, provides the best possible protection for your organization.

The Microsoft Defender for Identity service is typically updated a few times a month with new detections, features, and performance improvements. Typically these updates include a corresponding minor update to the sensors. Defender for Identity sensors and corresponding updates never have write permissions to your domain controllers. Sensor update packages only control the Defender for Identity sensor and sensor detection capabilities.

Defender for Identity sensor update types

Defender for Identity sensors support two kinds of updates:

  • Minor version updates:

    • Frequent
    • Requires no MSI install, and no registry changes
    • Restarted: Defender for Identity sensor services
    • Not restarted: Domain controller services and server OS
  • Major version updates:

    • Rare
    • Contains significant changes
    • Restarted: Defender for Identity sensor services
    • Possible restart required: Domain controller services and server OS

Note

  • Control automatic sensor restarts (for major updates) in the Defender for Identity portal configuration page.
  • Defender for Identity sensor always reserves at least 15% of the available memory and CPU available on the domain controller where it is installed. If the Defender for Identity service consumes too much memory, the service is automatically stopped and restarted by the Defender for Identity sensor updater service.

Delayed sensor update

Given the rapid speed of ongoing Defender for Identity development and release updates, you may decide to define a subset group of your sensors as a delayed update ring, allowing for a gradual sensor update process. Defender for Identity enables you to choose how your sensors are updated and set each sensor as a Delayed update candidate.

Sensors not selected for delayed update are updated automatically, each time the Defender for Identity service is updated. Sensors set to Delayed update are updated on a delay of 72 hours, following the official release of each service update.

The delayed update option enables you to select specific sensors as an automatic update ring, on which all updates are rolled out automatically, and set the rest of your sensors to update on delay, giving you time to confirm that the automatically updated sensors were successful.

Note

If an error occurs and a sensor does not update, open a support ticket. To further harden your proxy to only communicate with your instance, see Proxy configuration. Authentication between your sensors and the Azure cloud service uses strong, certificate-based mutual authentication.

Each update is tested and validated on all supported operating systems to cause minimal impact to your network and operations.

To set a sensor to delayed update:

  1. From the Defender for Identity portal, click on the settings icon and select Configuration.
  2. Click on the Updates tab.
  3. In the table row next to each sensor you want to delay, set the Delayed update slider to On.
  4. Click Save.

Sensor update process

Every few minutes, Defender for Identity sensors check whether they have the latest version. After the Defender for Identity cloud service is updated to a newer version, the Defender for Identity sensor service starts the update process:

  1. Defender for Identity cloud service updates to the latest version.

  2. Defender for Identity sensor updater service learns that there is an updated version.

  3. Sensors that are not set to Delayed update start the update process on a sensor by sensor basis:

    1. Defender for Identity sensor updater service pulls the updated version from the cloud service (in cab file format).
    2. Defender for Identity sensor updater validates the file signature.
    3. Defender for Identity sensor updater service extracts the cab file to a new folder in the sensor's installation folder. By default it is extracted to C:\Program Files\Azure Advanced Threat Protection Sensor<version number>
    4. Defender for Identity sensor service points to the new files extracted from the cab file.
    5. Defender for Identity sensor updater service restarts the Defender for Identity sensor service.

      Note

      Minor sensor updates install no MSI, changes no registry values or any system files. Even a pending restart does not impact a sensor update.

    6. Sensors run based on the newly updated version.
    7. Sensor receives clearance from the Azure cloud service. You can verify sensor status in the Updates page.
    8. The next sensor starts the update process.
  4. 72 hours after the Defender for Identity cloud service is updated, sensors selected for Delayed update start their update process according to the same update process as automatically updated sensors.

Sensor update

For any sensor that fails to complete the update process, a relevant health alert is triggered, and is sent as a notification.

Sensor update failure

See Also