Create and provision a simulated TPM Edge device on Windows

Azure IoT Edge devices can be auto-provisioned using the Device Provisioning Service just like devices that are not edge-enabled. If you're unfamiliar with the process of auto-provisioning, review the auto-provisioning concepts before continuing.

This article shows you how to test auto-provisioning on a simulated Edge device with the following steps:

  • Create an instance of IoT Hub Device Provisioning Service (DPS).
  • Create a simulated device on your Windows machine with a simulated Trusted Platform Module (TPM) for hardware security.
  • Create an individual enrollment for the device.
  • Install the IoT Edge runtime and connect the device to IoT Hub.


  • A Windows development machine. This article uses Windows 10.
  • An active IoT Hub.

Set up the IoT Hub Device Provisioning Service

Create a new instance of the IoT Hub Device Provisioning Service in Azure, and link it to your IoT hub. You can follow the instructions in Set up the IoT Hub DPS.

After you have the Device Provisioning Service running, copy the value of ID Scope from the overview page. You use this value when you configure the IoT Edge runtime.

Simulate a TPM device

Create a simulated TPM device on your Windows development machine. Retrieve the Registration ID and Endorsement Key for your device, and use them to create an individual enrollment entry in DPS.

When you create an enrollment in DPS, you have the opportunity to declare an Initial Device Twin State. In the device twin you can set tags to group devices by any metric you need in your solution, like region, environment, location, or device type. These tags are used to create automatic deployments.

Choose the SDK language that you want to use to create the simulated device, and follow the steps until you create the individual enrollment.

When you create the individual enrollment, select True to declare that the simulated TPM device on your Windows development machine is an IoT Edge device.

Simulated device and individual enrollment guides:

After creating the individual enrollment, save the value of the Registration ID. You use this value when you configure the IoT Edge runtime.

Install the IoT Edge runtime

After completing the previous section, you should see your new device listed as an IoT Edge device in your IoT Hub. Now, you need to install the IoT Edge runtime on your device.

The IoT Edge runtime is deployed on all IoT Edge devices. Its components run in containers, and allow you to deploy additional containers to the device so that you can run code at the edge.

Follow the instructions to install the IoT Edge runtime on the device that is running the simulated TPM from the previous section. Make sure to configure the IoT Edge runtime for automatic, not manual, provisioning.

Know your DPS ID Scope and device Registration ID before installing IoT Edge on your device.

Install and automatically provision IoT Edge

Verify successful installation

If the runtime started successfully, you can go into your IoT Hub and start deploying IoT Edge modules to your device. Use the following commands on your device to verify that the runtime installed and started successfully.

Check the status of the IoT Edge service.

Get-Service iotedge

Examine service logs from the last 5 minutes.

. {Invoke-WebRequest -useb} | Invoke-Expression; Get-IoTEdgeLog

List running modules.

iotedge list

Next steps

The Device Provisioning Service enrollment process lets you set the device ID and device twin tags at the same time as you provision the new device. You can use those values to target individual devices or groups of devices using automatic device management. Learn how to Deploy and monitor IoT Edge modules at scale using the Azure portal or using Azure CLI