Enroll TPM device to IoT Hub Device Provisioning Service using Python provisioning service SDK

These steps show how to programmatically create an individual enrollment for a TPM device in the Azure IoT Hub Device Provisioning Service, using the Python Provisioning Service SDK with the help of a sample Python application. Although the Python Service SDK works on both Windows and Linux machines, this article uses a Windows development machine to walk through the enrollment process.

Make sure to set up IoT Hub Device Provisioning Service with the Azure portal before you proceed.

Prepare the environment

  1. Download and install Python 2.x or 3.x. Make sure to use the 32-bit or 64-bit installation as required by your setup. When prompted during the installation, make sure to add Python to your platform-specific environment variables.

  2. Choose one of the following options:

  3. You need the endorsement key for your device. If you have followed the Create and provision a simulated device quickstart to create a simulated TPM device, use the key created for that device. Otherwise, you can use the following endorsement key supplied with the SDK:


Modify the Python sample code

This section shows how to add the provisioning details of your TPM device to the sample code.

  1. Using a text editor, create a new TpmEnrollment.py file.

  2. Add the following import statements and variables at the start of the TpmEnrollment.py file. Then replace dpsConnectionString with your connection string found under Shared access policies in your Device Provisioning Service on the Azure portal. Replace endorsementKey with the value noted previously in Prepare the environment. Finally, create a unique registrationid and be sure that it only consists of lower-case alphanumerics and hyphens.

    from provisioningserviceclient import ProvisioningServiceClient
    from provisioningserviceclient.models import IndividualEnrollment, AttestationMechanism
    CONNECTION_STRING = "{dpsConnectionString}"
    ENDORSEMENT_KEY = "{endorsementKey}"
    REGISTRATION_ID = "{registrationid}"
  3. Add the following function and function call to implement the group enrollment creation:

    def main():
        print ( "Starting individual enrollment..." )
        psc = ProvisioningServiceClient.create_from_connection_string(CONNECTION_STRING)
        att = AttestationMechanism.create_with_tpm(ENDORSEMENT_KEY)
        ie = IndividualEnrollment.create(REGISTRATION_ID, att)
        ie = psc.create_or_update(ie)
        print ( "Individual enrollment successful." )
    if __name__ == '__main__':
  4. Save and close the TpmEnrollment.py file.

Run the sample TPM enrollment

  1. Open a command prompt, and run the script.

    python TpmEnrollment.py
  2. Observe the output for the successful enrollment.

  3. Navigate to your provisioning service in the Azure portal. Click Manage enrollments. Notice that your TPM device appears under the Individual Enrollments tab, with the name registrationid created earlier.

    Verify successful TPM enrollment in portal

Clean up resources

If you plan to explore the Java service sample, do not clean up the resources created in this Quickstart. If you do not plan to continue, use the following steps to delete all resources created by this Quickstart.

  1. Close the Python sample output window on your machine.
  2. If you created a simulated TPM device, close the TPM simulator window.
  3. Navigate to your Device Provisioning service in the Azure portal, click Manage enrollments, and then select the Individual Enrollments tab. Select the Registration ID for the enrollment entry you created using this Quickstart, and click the Delete button at the top of the blade.

Next steps

In this Quickstart, you’ve programmatically created an individual enrollment entry for a TPM device, and, optionally, created a TPM simulated device on your machine and provisioned it to your IoT hub using the Azure IoT Hub Device Provisioning Service. To learn about device provisioning in depth, continue to the tutorial for the Device Provisioning Service setup in the Azure portal.