Create and provision a simulated TPM device using C# device SDK for IoT Hub Device Provisioning Service

These steps show you how to use the Azure IoT Samples for C# to simulate a TPM device on a development machine running the Windows OS. The sample also connects the simulated device to an IoT Hub using the Device Provisioning Service.

The sample code uses the Windows TPM simulator as the Hardware Security Module (HSM) of the device.

If you're unfamiliar with the process of autoprovisioning, be sure to also review Auto-provisioning concepts. Also make sure you've completed the steps in Set up IoT Hub Device Provisioning Service with the Azure portal before continuing.

The Azure IoT Device Provisioning Service supports two types of enrollments:

This article will demonstrate individual enrollments.


The initial device twin state configuration is available only in the standard tier of IoT Hub. For more information about the basic and standard IoT Hub tiers, see How to choose the right IoT Hub tier.

Prepare the development environment

  1. Make sure you have the .NET Core 2.1 SDK or later installed on your machine.

  2. Make sure git is installed on your machine and is added to the environment variables accessible to the command window. See Software Freedom Conservancy's Git client tools for the latest version of git tools to install, which includes the Git Bash, the command-line app that you can use to interact with your local Git repository.

  3. Open a command prompt or Git Bash. Clone the Azure IoT Samples for C# GitHub repo:

    git clone

Provision the simulated device

  1. Sign in to the Azure portal. Click the All resources button on the left-hand menu and open your Device Provisioning service. From the Overview blade, note down the ID Scope value.

    Copy provisioning service Scope ID from the portal blade

  2. In a command prompt, change directories to the project directory for the TPM device provisioning sample.

    cd .\azure-iot-samples-csharp\provisioning\Samples\device\TpmSample
  3. Type the following command to build and run the TPM device provisioning sample. Replace the <IDScope> value with the ID Scope for your provisioning service.

    dotnet run <IDScope>

    This command will launch the TPM chip simulator in a separate command prompt. On Windows, you may encounter a Windows Security Alert that asks whether you want to allow Simulator.exe to communicate on public networks. For the purposes of this sample, you may cancel the request.

  4. The command window displays the Endorsement Key, the Registration ID, and a suggested Device ID needed for device enrollment. Take note of these values. You will use these value to create an individual enrollment in your Device Provisioning Service instance.


    Do not confuse the window that contains command output with the window that contains output from the TPM simulator. You may have to click the command window to bring it to the foreground.

    Command window output

  5. In the Azure portal, on the Device Provisioning Service summary blade, select Manage enrollments. Select the Individual Enrollments tab and click the Add individual enrollment button at the top.

  6. Under Add Enrollment, enter the following information:

    • Select TPM as the identity attestation Mechanism.

    • Enter the Registration ID and Endorsement key for your TPM device that you noted earlier.

    • Optionally select an IoT hub linked with your provisioning service.

    • Enter a unique device ID. You can enter the device ID suggested in the sample output or enter your own. If you use your own, make sure to avoid sensitive data when naming your device.

    • Optionally update the Initial device twin state with the desired initial configuration for the device.

    • Once complete, click the Save button.

      Enter device enrollment information in the portal blade

    On successful enrollment, the Registration ID of your device will appear in the list under the Individual Enrollments tab.

  7. Press Enter in the command window (that displayed the Endorsement Key, the Registration ID, and a suggested Device ID) to enroll the simulated device. Notice the messages that simulate the device booting and connecting to the Device Provisioning Service to get your IoT hub information.

  8. Verify that the device has been provisioned. On successful provisioning of the simulated device to the IoT hub linked with your provisioning service, the device ID appears on the hub's IoT Devices blade.

    Device is registered with the IoT hub

    If you changed the initial device twin state from the default value in the enrollment entry for your device, it can pull the desired twin state from the hub and act accordingly. For more information, see Understand and use device twins in IoT Hub

Clean up resources

If you plan to continue working on and exploring the device client sample, do not clean up the resources created in this Quickstart. If you do not plan to continue, use the following steps to delete all resources created by this Quickstart.

  1. Close the device client sample output window on your machine.
  2. Close the TPM simulator window on your machine.
  3. From the left-hand menu in the Azure portal, click All resources and then select your Device Provisioning service. At the top of the All resources blade, click Delete.
  4. From the left-hand menu in the Azure portal, click All resources and then select your IoT hub. At the top of the All resources blade, click Delete.

Next steps

In this Quickstart, you’ve created a TPM simulated device on your machine and provisioned it to your IoT hub using the IoT Hub Device Provisioning Service. To learn how to enroll your TPM device programmatically, continue to the Quickstart for programmatic enrollment of a TPM device.