Share via

How to recover manually deleted OT devices from Defender for IoT ?

Rushikesh Kulkarni 0 Reputation points
2026-03-17T16:21:26.57+00:00

Hello ,
I have a cloud-connected OT Sensor. Sensor detected the network traffic & generated the OT Device Inventory. The same inventory was coming up on the Azure.

However , the firmware version was not showing up for any of the assets. The network traffic is very low around 30 PPS (Packets Per Second). May I know why it is not showing the firmware versions?
For troubleshooting, I deleted the devices from both consoles, viz. Sensor's Local Console and Azure Portal.
I am wondering that the devices are not coming up on the inventory pages (Local & Azure). Is there any way to recover the devices discovered earlier ?

Thanks,
Rushikesh

Azure Internet of Things

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Manas Mohanty 16,190 Reputation points Microsoft External Staff Moderator
    2026-04-05T09:05:45.83+00:00

    Hi Rushikesh Kulkarni

    There is no recovery, cooldown, or “re‑authorization” mechanism for manually deleted OT devices in Defender for IoT. Once deleted, those device entities are permanently removed from the active inventory. Defender for IoT does not create ghost entries, and it will not automatically rediscover them unless new qualifying network traffic is observed again.

    To answer your question explicitly:

    QueryAnswerCool‑down period after deletion?❌ NoTime‑based rediscovery?❌ NoAuto‑treat deleted devices as Authorized later?❌ NoHidden ghost device entries?❌ NoData Mining Reports ≠ Device Inventory

    • Data Mining uses historical packet metadata
    • It shows IP/MAC/protocol evidence that existed in the past
    • It does not recreate or validate device entities

    So:

    • Seeing assets in Data Mining reports does not mean they are active, authorized, or recoverable
    • These are forensic artifacts, not inventory objects

    This is normal and expected behavior.

    There are only three supported methods to make deleted assets reappear:

    Option 1: Generate qualifying OT traffic (most common fix)

    If operationally allowed:

    • Open engineering software and go online with PLC/HMI
    • Perform a read‑only status check
    • Trigger protocol identity exchanges

    This is the most reliable rediscovery trigger.

    Option 2: Validate SPAN/TAP coverage

    Check on the sensor:

    • Monitoring interface counters are increasing
    • No excessive packet drops
    • Correct VLANs mirrored
    • Both ingress and egress traffic present

    Many rediscovery issues are actually visibility issues.

    Option 3: Restore from backup (only way to “recover” history)

    If (and only if) you have:

    • Sensor VM snapshot
    • Sensor backup/export from before deletion

    Then restoring that snapshot will bring back:

    • Original device entities
    • Historical attributes
    • Authorizations

    Without a backup, recovery is impossible.

    What Defender for IoT will NOT do (important)

    • ❌ It will not “remember” deleted devices
    • ❌ It will not re‑authorize based on historical evidence
    • ❌ It will not promote Data Mining artifacts into inventory
    • ❌ It will not rediscover devices without new traffic.

    Reference used

    https://learn.microsoft.com/en-us/azure/defender-for-iot/organizations/how-to-investigate-sensor-detections-in-a-device-inventory

    https://learn.microsoft.com/en-us/azure/defender-for-iot/organizations/back-up-restore-sensor#restore-an-ot-sensor

    https://learn.microsoft.com/en-us/defender-for-iot/manage-devices-inventory

    Thank you.

    0 comments
  2. Q&A Assist
    2026-03-17T16:21:44.7466667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Deleting devices from the OT sensor console or from Defender for IoT inventories is not reversible. There is no supported way to “recover” previously discovered devices once they have been manually deleted from the inventory.

    On an OT sensor, when devices are deleted from the Device map or Device inventory, they are removed from the inventory database. The guidance for merge operations explicitly notes that incorrect merges must be corrected by deleting and waiting for rediscovery, which also applies conceptually here: the only way to get devices back is for the sensor to rediscover them from live network traffic.

    For rediscovery to occur:

    • The OT sensor must still be properly connected and monitoring the relevant SPAN/TAP or network segment.
    • The devices must generate sufficient network traffic again so the sensor can identify them as devices.
    • Once rediscovered on the sensor, cloud-connected sensors will repopulate the Azure portal device inventory based on the new detections.

    If traffic is very low (around 30 PPS), rediscovery can take time or may not occur until the devices communicate in ways that allow the sensor to fingerprint them again.

    Regarding firmware versions: the provided context does not describe any specific requirement or guarantee that firmware versions will always be populated. Defender for IoT device inventory surfaces device data detected from network traffic; if the observed protocols and traffic do not expose firmware information, the firmware field can remain empty even when devices are discovered and listed.

    Summary:

    • Manually deleted devices cannot be restored from a backup or recycle bin in Defender for IoT.
    • Devices will reappear only when the OT sensor rediscovers them from network traffic.
    • Firmware version fields may remain blank if the traffic being inspected does not reveal that information.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.