Update Defender for IoT OT monitoring software

This article describes how to update Defender for IoT software versions on OT sensor and on-premises management console appliances.

You can purchase preconfigured appliances for your sensors and on-premises management consoles, or install software on your own hardware machines. In either case, you'll need to update software versions to use new features for OT sensors and on-premises management consoles.

For more information, see Which appliances do I need?, Pre-configured physical appliances for OT monitoring, and OT monitoring software release notes.

Legacy version updates vs. recent version updates

When downloading your update files from the Azure portal, you’ll see the option to download different files for different types of updates. Update files differ depending on the version you’re updating from and updating to.

Make sure to select the file that matches your upgrade scenario.

Updates from legacy versions may require a series of software updates: If you still have a sensor version 3.1.1 installed, you'll need to first upgrade to version 10.5.5, and then to a 22.x version. For example:

Screenshot of the multiple download options displayed.

Verify network requirements

  • Make sure that your sensors can reach the Azure data center address ranges and set up any extra resources required for the connectivity method your organization is using.

    For more information, see OT sensor cloud connection methods and Connect your OT sensors to the cloud.

  • Make sure that your firewall rules are configured as needed for the new version you're updating to. For example, the new version may require a new or modified firewall rule to support sensor access to the Azure portal. From the Sites and sensors page, select More actions > Download sensor endpoint details for the full list of endpoints required to access the Azure portal.

    For more information, see Networking requirements and Sensor management options from the Azure portal.

Update an on-premises management console

This procedure describes how to update Defender for IoT software on an on-premises management console, and is only relevant if your organization is using an on-premises management console to manage multiple sensors simultaneously.

In such cases, make sure to update your on-premises management consoles before you update software on your sensors. This process takes about 30 minutes.

Important

The software version on your on-premises management console must be equal to that of your most up-to-date sensor version. Each on-premises management console version is backwards compatible to older, supported sensor versions, but cannot connect to newer sensor versions.

To update on-premises management console software:

  1. In the Azure portal, go to Defender for IoT > Getting started > Updates.

  2. Scroll down to the On-premises management console section, and select Download for the software update. Save your management-secured-patcher-<version>.tar file locally. For example:

    Screenshot of the Download option for the on-premises management console.

    Make sure to select the version for the update you're performing. For more information, see Legacy version updates vs. recent version updates.

    All files downloaded from the Azure portal are signed by root of trust so that your machines use signed assets only.

  3. On your on-premises management console, select System Settings > Version Update.

  4. In the Upload File dialog, select BROWSE FILE and then browse to and select the update file you'd downloaded from the Azure portal.

    The update process starts, and may take about 30 minutes. During your upgrade, the system is rebooted twice.

    Sign in when prompted and check the version number listed in the bottom-left corner to confirm that the new version is listed.

Update your sensors

You can update software on your sensors individually, directly from each sensor console, or in bulk from the on-premises management console. Select one of the following tabs for the steps required in each method.

Note

If you are updating from software versions earlier than 22.1.x, note that version 22.1.x has a large update with more complicated background processes. Expect this update to take more time than earlier updates have required.

Prerequisites

If you're using an on-premises management console to manage your sensors, make sure to update your on-premises management console software before you update your sensor software.

On-premises management software is backwards compatible, and can connect to sensors with earlier versions installed, but not later versions. If you update your sensor software before updating your on-premises management console, the updated sensor will be disconnected from the on-premises management console.

For more information, see Update an on-premises management console.

This procedure describes how to send a software version update to one or more OT sensors, and then run the updates remotely from the Azure portal. Bulk updates are supported for up to 10 sensors at a time.

Tip

Sending your version update and running the update process are two separate steps, which can be done one right after the other or at different times.

For example, you might want to first send the update to your sensor and then an administrator to run the installation during a planned maintenance window.

Prerequisites: A cloud-connected sensor with a software version equal to or higher than 22.2.3, but not yet the latest version available.

To send the software update to your OT sensor:

  1. In the Azure portal, go to Defender for IoT > Sites and sensors and identify the sensors that have legacy versions installed.

    If you know your site and sensor name, you can browse or search for it directly. Alternately, filter the sensors listed to show only cloud-connected, OT sensors that have Remote updates supported, and have legacy software version installed. For example:

    Screenshot of how to filter for OT sensors that are ready for remote update.

  2. Select one or more sensors to update, and then select Update (Preview) > Send package. For a specific sensor, you can also access the Send package option from the ... options menu to the right of the sensor row. For example:

    Screenshot of the Send package option.

  3. In the Send package pane that appears on the right, check to make sure that you're sending the correct software to the sensor you want to update. For more information, see Legacy version updates vs. recent version updates.

    To jump to the release notes for the new version, select Learn more at the top of the pane.

  4. When you're ready, select Send package. The software transfer to your sensor machine is started, and you can see the progress in the Sensor version column.

    When the transfer is complete, the Sensor version column changes to Ready to update.

    Hover over the Sensor version value to see the source and target version for your update.

To run your sensor update from the Azure portal:

When the Sensor version column for your sensors reads Ready to update, you're ready to run your update.

  1. As in the previous step, either select multiple sensors that are ready to update, or select one sensor at a time.

  2. Select either Update (Preview) > Update sensor from the toolbar, or for an individual sensor, select the ... options menu > Update sensor. For example:

    Screenshot of the Update sensor option.

  3. In the Update sensor (Preview) pane that appears on the right, verify your update details.

    When you're ready, select Update now > Confirm update. In the grid, the Sensor version value changes to Installing until the update is complete, when the value switches to the new sensor version number instead.

If a sensor fails to update for any reason, the software reverts back to the previous version installed, and a sensor health alert is triggered. For more information, see Understand sensor health and Sensor health message reference.

Note

After upgrading to version 22.1.x or higher, the new upgrade log is accessible by the cyberx_host user on the sensor at the following path: /opt/sensor/logs/legacy-upgrade.log. To access the update log, sign into the sensor via SSH with the cyberx_host user.

For more information, see Default privileged on-premises users.

Download and apply a new activation file

Relevant only when updating from a legacy version to version 22.x or higher

This procedure is relevant only if you're updating sensors from software versions earlier than 22.1.x. Such updates require a new activation file for each sensor, which you'll use to activate the sensor before you update the software.

To prepare your sensor for update:

  1. In Defender for IoT on the Azure portal, select Sites and sensors on the left.

  2. Select the site where you want to update your sensor, and then browse to the sensor you want to update.

  3. Expand the row for your sensor, select the options ... menu on the right of the row, and then select Prepare to update to 22.x. For example:

    Screenshot of the Prepare to update option.

  4. In the Prepare to update sensor to version 22.X message, select Let's go.

    A new row in the grid is added for sensor you're upgrading. In that added row, select to download the activation file.

  5. Verify that the status showing in the new sensor row has switched to Pending activation.

All files downloaded from the Azure portal are signed by root of trust so that your machines use signed assets only.

Note

The previous sensor is not automatically deleted after your update. After you've updated the sensor software, make sure to remove the previous sensor from Defender for IoT.

To apply your activation file:

If you're upgrading from a legacy version to version 22.x or higher, make sure to apply the new activation file to your sensor.

  1. On your sensor, select System settings > Sensor management > Subscription & Mode Activation.

  2. In the Subscription & Mode Activation pane that appears on the right, select Select file, and then browse to and select the activation file you'd downloaded earlier.

  3. In Defender for IoT on the Azure portal, monitor your sensor's activation status. When the sensor is fully activated:

    • The sensor's Overview page shows an activation status of Valid.
    • In the Azure portal, on the Sites and sensors page, the sensor is listed as OT cloud connected and with the updated sensor version.

Remove your previous sensor

Your previous sensors continue to appear in the Sites and sensors page until you delete them. After you've applied your new activation file and updated sensor software, make sure to delete any remaining, previous sensors from Defender for IoT.

Delete a sensor from the Sites and sensors page in the Azure portal. For more information, see Sensor management options from the Azure portal.

Remove private IoT Hubs

If you've updated from a version earlier than 22.1.x, you may no longer need the private IoT Hubs you'd previously used to connect sensors to Defender for IoT.

In such cases:

  1. Review your IoT hubs to ensure that it's not being used by other services.

  2. Verify that your sensors are connected successfully.

  3. Delete any private IoT Hubs that are no longer needed. For more information, see the IoT Hub documentation.

Next steps

For more information, see: