moving high availability to cm legacy

Author: batamig

articles/defender-for-iot/organizations/concept-zero-trust.md

@@ -73,17 +73,6 @@ For example, if your growing company has factories and offices in Paris, Lagos,
 |**Dubai office**     |     - Ground floor (Convention center) <br>- Floor 1 (Sales)<br>- Floor 2 (Offices)     |
 |**Tianjin office**     |   - Ground floor (Offices) <br>- Floors 1-2 (Factory)        |
 
-<!-- how to update this?
-### Zero Trust and air-gapped environments
-
-If you're working with a large, air-gapped environment, we recommend that you [deploy an on-premises management console](legacy-central-management/install-software-on-premises-management-console.md) for central maintenance and security monitoring. Use the on-premises management console to create sites and zones across all connected OT sensors.
-
-> [!NOTE]
-> Sites and zones configured on the Azure portal are not synchronized with sites and zones configured on an on-premises management console. 
->
-> If you're working with a large deployment, we recommend that you use the Azure portal to manage cloud-connected sensors, and the on-premises management console to manage locally-managed sensors.
-
--->
 
 ## Next steps
 

articles/defender-for-iot/organizations/legacy-central-management/how-to-manage-sensors-from-the-on-premises-management-console.md

@@ -21,6 +21,80 @@ To perform the procedures in this article, make sure you have:
 
 - Access to the on-premises management console as an **Admin** user. For more information, see [On-premises users and roles for OT monitoring with Defender for IoT](../roles-on-premises.md).
 
+# Update sensors from an on-premises management console
+
+This procedure describes how to update several OT sensors simultaneously from a legacy on-premises management console.
+
+> [!IMPORTANT]
+> If you're updating multiple, locally-managed OT sensors, make sure to [update the on-premises management console](#update-an-on-premises-management-console) *before* you update any connected sensors.
+>
+>
+The software version on your on-premises management console must be equal to that of your most up-to-date sensor version. Each on-premises management console version is backwards compatible to older, supported sensor versions, but can't connect to newer sensor versions.
+>
+
+### Download the update packages from the Azure portal
+
+1. In [Defender for IoT](https://portal.azure.com/#view/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/~/Getting_started) on the Azure portal, select **Sites and sensors** > **Sensor update (Preview)**.
+
+1. In the **Local update** pane, select the software version that's currently installed on your sensors.
+
+1. Select the **Are you updating through a local manager** option, and then select the software version that's currently installed on your on-premises management console.
+
+1. In the **Available versions** area of the **Local update** pane, select the version you want to download for your software update.
+
+    The **Available versions** area lists all update packages available for your specific update scenario. You may have multiple options, but there will always be one specific version marked as **Recommended** for you. For example:
+
+    :::image type="content" source="media/update-ot-software/recommended-version.png" alt-text="Screenshot highlighting the recommended update version for the selected update scenario." lightbox="media/update-ot-software/recommended-version.png":::
+
+1. Scroll down further in the **Local update** pane and select **Download** to download the software file.
+
+    If you'd selected the **Are you updating through a local manager** option, files will be listed for both the on-premises management console and the sensor. For example:
+
+    :::image type="content" source="media/update-ot-software/download-update-package.png" alt-text="Screenshot of the Local update pane with two download files showing, for an on-premises management console and a sensor." lightbox="media/update-ot-software/download-update-package.png":::
+
+    The update packages are downloaded with the following file syntax names:
+
+    - `sensor-secured-patcher-<Version number>.tar` for the OT sensor update
+    - `management-secured-patcher-<Version number>.tar` for the on-premises management console update
+
+    Where `<version number>` is the software version number you're updating to.
+
+[!INCLUDE [root-of-trust](includes/root-of-trust.md)]
+
+### Update an on-premises management console
+
+1. Sign into your on-premises management console and select **System Settings** > **Version Update**.
+
+1. In the **Upload File** dialog, select **BROWSE FILE** and then browse to and select the update package you'd downloaded from the Azure portal.
+
+    The update process starts, and may take about 30 minutes. During your upgrade, the system is rebooted twice.
+
+    Sign in when prompted and check the version number listed in the bottom-left corner to confirm that the new version is listed.
+
+### Update your OT sensors from the on-premises management console
+
+1. Sign into your on-premises management console, select **System Settings**, and identify the sensors that you want to update.
+
+1. For any sensors you want to update, make sure that the **Automatic Version Updates** option is selected.
+
+    Also make sure that sensors you *don't* want to update are *not* selected.
+
+    Save your changes when you're finished selecting sensors to update. For example:
+
+   :::image type="content" source="media/how-to-manage-sensors-from-the-on-premises-management-console/automatic-updates.png" alt-text="Screenshot of on-premises management console with Automatic Version Updates selected." lightbox="media/how-to-manage-sensors-from-the-on-premises-management-console/automatic-updates.png":::
+
+    > [!IMPORTANT]
+    > If your **Automatic Version Updates** option is red, you have an update conflict. An update conflict might occur if you have multiple sensors marked for automatic updates but the sensors currently have different software versions installed. Select the **Automatic Version Updates** option to resolve the conflict.
+    >
+
+1. Scroll down and on the right, select the **+** in the **Sensor version update** box. Browse to and select the update file you'd downloaded from the Azure portal.
+
+    Updates start running on each sensor selected for automatic updates.
+
+1. Go to the **Site Management** page to view the update status and progress for each sensor.
+
+    If updates fail, a retry option appears with an option to download the failure log. Retry the update process or open a support ticket with the downloaded log files for assistance.
+
 ## Push system settings to OT sensors
 
 If you have an OT sensor already configured with system settings that you want to share across to other OT sensors, push those settings from the on-premises management console. Sharing system settings across OT sensors saves time and streamlines your settings across your system.

articles/defender-for-iot/organizations/legacy-central-management/how-to-set-up-high-availability.md

@@ -8,7 +8,7 @@ ms.topic: how-to
 
 [!INCLUDE [on-premises-management-deprecation](includes/on-premises-management-deprecation.md)]
 
-Increase the resiliency of your Defender for IoT deployment by configuring [high availability](legacy-central-management/legacy-air-gapped-deploy.md#high-availability-for-on-premises-management-consoles) on your on-premises management console. High availability deployments ensure your managed sensors continuously report to an active on-premises management console.
+Increase the resiliency of your Defender for IoT deployment by configuring [high availability](legacy-air-gapped-deploy.md#high-availability-for-on-premises-management-consoles) on your on-premises management console. High availability deployments ensure your managed sensors continuously report to an active on-premises management console.
 
 This deployment is implemented with an on-premises management console pair that includes a primary and secondary appliance.
 
@@ -19,14 +19,14 @@ This deployment is implemented with an on-premises management console pair that
 
 Before you perform the procedures in this article, verify that you've met the following prerequisites:
 
-- Make sure that you have an [on-premises management console installed](./legacy-central-management/install-software-on-premises-management-console.md) on both a primary appliance and a secondary appliance.
+- Make sure that you have an [on-premises management console installed](install-software-on-premises-management-console.md) on both a primary appliance and a secondary appliance.
 
     - Both your primary and secondary on-premises management console appliances must be running identical hardware models and software versions.
-    - You must be able to access both the primary and secondary on-premises management consoles as a [privileged user](references-work-with-defender-for-iot-cli-commands.md), for running CLI commands. For more information, see [On-premises users and roles for OT monitoring](roles-on-premises.md).
+    - You must be able to access both the primary and secondary on-premises management consoles as a [privileged user](../references-work-with-defender-for-iot-cli-commands.md), for running CLI commands. For more information, see [On-premises users and roles for OT monitoring](../roles-on-premises.md).
 
-- Make sure that the primary on-premises management console is fully [configured](legacy-central-management/how-to-manage-the-on-premises-management-console.md), including at least two [OT network sensors connected](legacy-central-management/connect-sensors-to-management.md) and visible in the console UI, as well as the scheduled backups or VLAN settings. All settings are applied to the secondary appliance automatically after pairing.
+- Make sure that the primary on-premises management console is fully [configured](how-to-manage-the-on-premises-management-console.md), including at least two [OT network sensors connected](connect-sensors-to-management.md) and visible in the console UI, as well as the scheduled backups or VLAN settings. All settings are applied to the secondary appliance automatically after pairing.
 
-- Make sure that your SSL/TLS certificates meet required criteria. For more information, see [SSL/TLS certificate requirements for on-premises resources](best-practices/certificate-requirements.md).
+- Make sure that your SSL/TLS certificates meet required criteria. For more information, see [SSL/TLS certificate requirements for on-premises resources](../best-practices/certificate-requirements.md).
 
 - Make sure that your organizational security policy grants you access to the following services, on the primary and secondary on-premises management console. These services also allow the connection between the sensors and secondary on-premises management console:
 
@@ -47,11 +47,11 @@ Before you perform the procedures in this article, verify that you've met the fo
 
     1. Sign in to the secondary on-premises management console, and select **System Settings**.
 
-    1. In the **Sensor Setup - Connection String** area, under **Copy Connection String**, select the :::image type="icon" source="media/how-to-troubleshoot-the-sensor-and-on-premises-management-console/eye-icon.png" border="false"::: button to view the full connection string.
+    1. In the **Sensor Setup - Connection String** area, under **Copy Connection String**, select the :::image type="icon" source="../media/how-to-troubleshoot-the-sensor-and-on-premises-management-console/eye-icon.png" border="false"::: button to view the full connection string.
 
     1.  The connection string is composed of the IP address and the token. The IP address is before the colon, and the token is after the colon. Copy the IP address and token separately. For example, if your connection string is ```172.10.246.232:a2c4gv9de23f56n078a44e12gf2ce77f```, copy the IP address ```172.10.246.232``` and the token ```a2c4gv9de23f56n078a44e12gf2ce77f``` separately.
 
-        :::image type="content" source="media/how-to-set-up-high-availability/copy-connection-string-second-part.png" alt-text="Screenshot showing to copy each part of the connection string to use in the following command." lightbox="media/how-to-set-up-high-availability/copy-connection-string-second-part.png":::
+        :::image type="content" source="../media/how-to-set-up-high-availability/copy-connection-string-second-part.png" alt-text="Screenshot showing to copy each part of the connection string to use in the following command." lightbox="media/how-to-set-up-high-availability/copy-connection-string-second-part.png":::
 
 1. **On the primary appliance**, use the following steps to connect the secondary appliance to the primary via CLI:
 
@@ -106,7 +106,7 @@ The core application logs can be exported to the Defender for IoT support team t
 
 **To access the core logs**:
 
-1. Sign into the on-premises management console and select **System Settings** > **Export**. For more information on exporting logs to send to the support team, see [Export logs from the on-premises management console for troubleshooting](legacy-central-management/how-to-troubleshoot-on-premises-management-console.md#export-logs-from-the-on-premises-management-console-for-troubleshooting).
+1. Sign into the on-premises management console and select **System Settings** > **Export**. For more information on exporting logs to send to the support team, see [Export logs from the on-premises management console for troubleshooting](how-to-troubleshoot-on-premises-management-console.md#export-logs-from-the-on-premises-management-console-for-troubleshooting).
 
 ## Update the on-premises management console with high availability
 
@@ -132,7 +132,7 @@ Perform the update in the following order. Make sure each step is complete befor
 
     1. Find the domain associated with the secondary appliance and copy it to your clipboard. For example:
 
-        :::image type="content" source="media/how-to-set-up-high-availability/update-high-availability-domain.jpg" alt-text="Screenshot showing the domain associated with the secondary appliance." lightbox="media/how-to-set-up-high-availability/update-high-availability-domain.jpg":::
+        :::image type="content" source="../media/how-to-set-up-high-availability/update-high-availability-domain.jpg" alt-text="Screenshot showing the domain associated with the secondary appliance." lightbox="../media/how-to-set-up-high-availability/update-high-availability-domain.jpg":::
 
     1. Remove the secondary domain from the list of trusted hosts. Run:
     
@@ -168,7 +168,7 @@ Perform the update in the following order. Make sure each step is complete befor
         sudo cyberx-management-trusted-hosts-apply
         ```
 
-1. Update both the primary and secondary appliances to the new version. For more information, see [Update an on-premises management console](update-ot-software.md#update-an-on-premises-management-console).
+1. Update both the primary and secondary appliances to the new version. For more information, see [Update an on-premises management console](../update-ot-software.md#update-an-on-premises-management-console).
 
 1. Set up high availability again, on both the primary and secondary appliances. For more information, see [Create the primary and secondary pair](#create-the-primary-and-secondary-pair).
 
@@ -181,7 +181,7 @@ When failover occurs, the primary on-premises management console freezes and you
 
 During failover, sensors continue attempts to communicate with the primary appliance. When more than half the managed sensors succeed in communicating with the primary, the primary is restored. The following message appears on the secondary console when the primary is restored:
 
-:::image type="content" source="media/how-to-set-up-high-availability/secondary-console-message.png" alt-text="Screenshot of a message that appears at the secondary console when the primary is restored.":::
+:::image type="content" source="../media/how-to-set-up-high-availability/secondary-console-message.png" alt-text="Screenshot of a message that appears at the secondary console when the primary is restored.":::
 
 Sign back in to the primary appliance after redirection.
 
@@ -191,8 +191,8 @@ Activation files can only be updated on the primary on-premises management conso
 
 Before the activation file expires on the secondary machine, define it as the primary machine so that you can update the license.
 
-For more information, see [Upload a new activation file](legacy-central-management/how-to-manage-the-on-premises-management-console.md#upload-a-new-activation-file).
+For more information, see [Upload a new activation file](how-to-manage-the-on-premises-management-console.md#upload-a-new-activation-file).
 
 ## Next steps
 
-For more information, see [Activate and set up an on-premises management console](legacy-central-management/activate-deploy-management.md).
+For more information, see [Activate and set up an on-premises management console](activate-deploy-management.md).

articles/defender-for-iot/organizations/monitor-zero-trust.md

@@ -1,7 +1,7 @@
 ---
 title: Monitor OT networks with Zero Trust principles - Microsoft Defender for IoT
 description: Learn how to use Microsoft Defender for IoT to monitor your operational technology (OT) networks with Zero Trust principles.
-ms.date: 02/15/2023
+ms.date: 12/14/2023
 ms.topic: tutorial
 ms.collection:
   -       zerotrust-services
@@ -11,7 +11,6 @@ ms.collection:
 
 [!INCLUDE [zero-trust-principles](../../../includes/security/zero-trust-principles.md)]
 
-<!--need to update this to remove the cm?-->
 Defender for IoT uses site and zone definitions across your OT network to ensure that you're maintaining network hygiene and keeping each subsystem separate and secure.
 
 This tutorial describes how to monitor your OT network with Defender for IoT and Zero Trust principles.
@@ -180,26 +179,6 @@ In the Azure portal, view Defender for IoT data by site and zone from the follow
 
 - **Sites and sensors**: [Filter the sensors](how-to-manage-sensors-on-the-cloud.md#site-management-options-from-the-azure-portal) listed by site or zone.
 
-<!-- remove this?
-### View data in air-gapped environments
-
-Use the following procedure to view more data for each site and zone on an on-premises management console. We recommend using an on-premises management console in air-gapped environments to centrally manage and monitor OT devices across your network.
-
-1. Sign into your on-premises management console and select **Site Management**.
-
-1. Locate the site and zone you want to view, using the filtering options at the top as needed:
-
-    - **Connectivity**: Select to view only all OT sensors, or only connected / disconnected sensors only.
-    - **Upgrade Status**: Select to view all OT sensors, or only those with a specific [software update status](update-ot-software.md#update-an-on-premises-management-console).
-    - **Business Unit**: Select to view all OT sensors, or only those from a [specific business unit](legacy-on-premises-management/sites-and-zones-on-premises.md#create-business-units).
-    - **Region**: Select to view all OT sensors, or only those from a [specific region](legacy-on-premises-management/sites-and-zones-on-premises.md#create-regions).
-
-Each site and zone lists operational details about the sensor, such as details about its last software update, as well as the number of devices, alerts, and sensors aggregated for each zone.
-
-Select **View device inventory**, **View zone map**, the :::image type="icon" source="media/sites-and-zones/sensor-icon.png" border="false"::: sensor icon, or the :::image type="icon" source="media/legacy-central-management/how-to-work-with-alerts-on-premises-management-console/alerts-icon.png" border="false"::: alerts button to jump to more specific data.
-
--->
-
 ## Sample alerts to watch for
 
 When monitoring for Zero Trust, the following list is an example of important Defender for IoT alerts to watch for: