Activate and set up an on-premises management console (Legacy)


Defender for IoT now recommends using Microsoft cloud services or existing IT infrastructure for central monitoring and sensor management, and plans to retire the on-premises management console on January 1st, 2025.

For more information, see Deploy hybrid or air-gapped OT sensor management.

This article is one in a series of articles describing the deployment path for a Microsoft Defender for IoT on-premises management console for air-gapped OT sensors.

Diagram of a progress bar with Activate and initial setup highlighted.

When working in an air-gapped or hybrid operational technology (OT) environment with multiple sensors, use an on-premises management console to configure settings and view data in a central location for all connected OT sensors.

This article describes how to activate your on-premises management console and configure settings for an initial deployment.


Before performing the procedures in this article, you need to have:

Sign in to your on-premises management console

During the software installation process, you'll have received a set of credentials for privileged access. We recommend using the Support credentials when signing into the on-premises management console for the first time.

For more information, see Default privileged on-premises users.

In a browser, go to the on-premises management console's IP address, and enter the username and password.


If you forgot your password, select Password recovery to reset the password. For more information, see Recover a privileged user password.

Activate the on-premises management console

Activate your on-premises management console using a downloaded file from the Azure portal. Either use an activation file you'd downloaded when adding your plan, or use the steps in this procedure to download the activation file afresh.

To download the activation file:

  1. In Defender for IoT in the Azure portal, select Plans and pricing.


    If you'd prefer to start in the on-premises management console, you'll see a message prompting you to take action for a missing activation file after signing into the on-premises management console for the first time.

    In the message bar, select the Take action link. An Activation dialog shows the number of monitored and licensed devices.

    Since you're just starting the deployment, both of these values should be 0.

    Select the link to the Azure portal to jump to Defender for IoT's Plans and pricing page in the Azure portal. |

  2. In the Plans grid, select your subscription.

    If you don't see the subscription that you're looking for, make sure that you're viewing the Azure portal with the correct subscriptions selected. For more information, see Manage Azure portal settings.

  3. In the toolbar, select Download on-premises management console activation file. The activation file downloads.

    All files downloaded from the Azure portal are signed by root of trust so that your machines use signed assets only.

To activate your on-premises management console:

  1. If you haven't yet, sign into your on-premises management console. In the Activation dialog, select CHOOSE FILE and select the downloaded activation file.

    A confirmation message appears to confirm that the file's been uploaded successfully.


You'll need to upload a new activation file in specific cases, such as if you purchase a new license for a different site size after having uploaded your initial activation file.

For more information, see Upload a new activation file.

Activation files for legacy OT plans

Starting June 1, 2023, Microsoft Defender for IoT licenses for OT monitoring are available for purchase only in the Microsoft 365 admin center, and OT sensors are onboarded to Defender for IoT based on your licensed site sizes.

Existing customers can continue to use any legacy OT plan, with no changes in functionality. If you're working with a legacy OT plan, and you select multiple subscriptions in the Plans and pricing page before downloading your activation file, the activation file is associated with all selected subscriptions and the number of devices licensed defined at the time of download.

Deploy an SSL/TLS certificate

The following procedures describe how to deploy an SSL/TLS certificate on your OT sensor. We recommend using CA-signed certificates in production environments.

The requirements for SSL/TLS certificates are the same for OT sensors and on-premises management consoles. For more information, see:

To upload a CA-signed certificate:

  1. Sign into your on-premises management console and select System settings > SSL/TLS Certificates.

  2. In the SSL/TLS Certificates dialog, select Add Certificate.

  3. In the Import a trusted CA-signed certificate area, enter a certificate name and optional passphrase, and then upload your CA-signed certificate files.

  4. (Optional) Clear the Enable certificate validation option to avoid validating the certificate against a CRL server.

  5. Select SAVE to save your certificate settings.

For more information, see Troubleshoot certificate upload errors.

Next steps