Create and provision a simulated TPM device using C device SDK for IoT Hub Device Provisioning Service

These steps show how to create a simulated device on your development machine running Windows OS, run the Windows TPM simulator as the Hardware Security Module (HSM) of the device, and use the code sample to connect this simulated device with the Device Provisioning Service and your IoT hub.

If you're unfamiliar with the process of auto-provisioning, be sure to also review Auto-provisioning concepts. Also make sure you've completed the steps in Set up IoT Hub Device Provisioning Service with the Azure portal before continuing.


The initial device twin state configuration is available only in the standard tier of IoT Hub. For more information about the basic and standard IoT Hub tiers, see How to choose the right IoT Hub tier.

Prepare the development environment

  1. Make sure you have either Visual Studio 2015 or Visual Studio 2017 installed on your machine. You must have 'Desktop development with C++' workload enabled for your Visual Studio installation.

  2. Download and install the CMake build system. It is important that the Visual Studio with 'Desktop development with C++' workload is installed on your machine, before the cmake installation.

  3. Make sure git is installed on your machine and is added to the environment variables accessible to the command window. See Software Freedom Conservancy's Git client tools for the latest version of git tools to install, which includes the Git Bash, the command-line app that you can use to interact with your local Git repository.

  4. Open a command prompt or Git Bash. Clone the GitHub repo for device simulation code sample:

    git clone --recursive
  5. Create a folder in your local copy of this GitHub repo for CMake build process.

    cd azure-iot-sdk-c
    mkdir cmake
    cd cmake
  6. The code sample uses a Windows TPM simulator to provide attestation via SAS Token authentication. Run the following command to build a version of the SDK specific to your development client platform and attestation mechanism (TPM Simulator). It also generates a Visual Studio solution for the simulated device.

    cmake -Duse_prov_client:BOOL=ON -Duse_tpm_simulator:BOOL=ON ..

    If cmake does not find your C++ compiler, you might get build errors while running the above command. If that happens, try running this command in the Visual Studio command prompt.

  7. In a separate command prompt, navigate to the GitHub root folder and run the TPM simulator. It listens over a socket on ports 2321 and 2322. Do not close this command window; you will need to keep this simulator running until the end of this Quickstart guide.

    If you are in the cmake folder, then run the following commands:


Simulate TPM device

  1. Open the solution generated in the cmake folder named azure_iot_sdks.sln, and build it in Visual Studio.

  2. In the Solution Explorer pane in Visual Studio, navigate to the folder Provision_Tools. Right-click the tpm_device_provision project and select Set as Startup Project.

  3. Run the solution. The output window displays the Registration ID and the Endorsement Key needed for device enrollment. Note down these values.

Create a device enrollment entry in the portal

  1. Log in to the Azure portal, click on the All resources button on the left-hand menu and open your Device Provisioning service.

  2. On the Device Provisioning Service summary blade, select Manage enrollments. Select Individual Enrollments tab and click the Add button at the top.

  3. Under the Add enrollment list entry, enter the following information:

    • Select TPM as the identity attestation Mechanism.
    • Enter the Registration ID and Endorsement key for your TPM device.
    • Optionally, you may provide the following information:
      • Select an IoT hub linked with your provisioning service.
      • Enter a unique device ID. Make sure to avoid sensitive data while naming your device.
      • Update the Initial device twin state with the desired initial configuration for the device.
    • Once complete, click the Save button.

      Enter device enrollment information in the portal blade

    On successful enrollment, the Registration ID of your device will appear in the list under the Individual Enrollments tab.

Simulate first boot sequence for the device

  1. In the Azure portal, select the Overview blade for your Device Provisioning service and note down the ID Scope value.

    Extract DPS endpoint information from the portal blade

  2. In the Visual Studio Solution Explorer on your machine, navigate to the folder Provision_Samples. Select the sample project named prov_dev_client_sample and open the file prov_dev_client_sample.c.

  3. Assign the ID Scope value to the id_scope variable.

    static const char* id_scope = "[ID Scope]";
  4. In the main() function in the same file, make sure the SECURE_DEVICE_TYPE is set to TPM.

    SECURE_DEVICE_TYPE hsm_type;
    hsm_type = SECURE_DEVICE_TYPE_TPM;

    Comment out or delete the statement hsm_type = SECURE_DEVICE_TYPE_X509; that is present by default.

  5. Right-click the prov_dev_client_sample project and select Set as Startup Project. Run the solution.

  6. Notice the messages that simulate the device booting and connecting to the Device Provisioning Service to get your IoT hub information. On successful provisioning of your simulated device to the IoT hub linked with your provisioning service, the device ID appears on the hub's IoT Devices blade.

    Device is registered with the IoT hub

    If you changed the initial device twin state from the default value in the enrollment entry for your device, it can pull the desired twin state from the hub and act accordingly. For more information, see Understand and use device twins in IoT Hub

Clean up resources

If you plan to continue working on and exploring the device client sample, do not clean up the resources created in this Quickstart. If you do not plan to continue, use the following steps to delete all resources created by this Quickstart.

  1. Close the device client sample output window on your machine.
  2. Close the TPM simulator window on your machine.
  3. From the left-hand menu in the Azure portal, click All resources and then select your Device Provisioning service. Open the Manage Enrollments blade for your service, and then click the Individual Enrollments tab. Select the REGISTRATION ID of the device you enrolled in this Quickstart, and click the Delete button at the top.
  4. From the left-hand menu in the Azure portal, click All resources and then select your IoT hub. Open the IoT Devices blade for your hub, select the DEVICE ID of the device you registered in this Quickstart, and then click Delete button at the top.

Next steps

In this Quickstart, you’ve created a TPM simulated device on your machine and provisioned it to your IoT hub using the IoT Hub Device Provisioning Service. To learn how to enroll your TPM device programmatically, continue to the Quickstart for programmatic enrollment of a TPM device.