we would like to register our IoT devices using a DPS group enrollment based on an intermediate X509 certificate. Once the device is provisioned, we can authenticate the device at the IoT Hub using X509 attestation. So far, so good and that actually works.
However, this has the problem that the device needs the full device certificate including the private key at hand. Therefore, we would like to use TPM attestation, but I am struggling to understand how this can work. The documentation says we should update the enrollment list, but as far as I understood, this means a separate individual enrollment for each device, which we would like to avoid as well.
Is it possible to authenticate the device using TPM attestation if the public key of the device certificate matches the endorsement key, if the devices have been provisioned using a group enrollment?
Thanks
There is a document which shows the series of steps need to be taken to complete the group enrollment for the certificate. Need to follow the syntaxes mentioned in the document to complete the process.
http://busbyland.com/azure-iot-device-provisioning-service-via-rest-part-1/
DOCUMENT CREDIT: msstevebus
To complete the device authentication using X.509 CA certificate follow the document
The device enrollment like group enrollment is possible but not with the TPM.
As mentioned in the image, TPM is used for individual device enrollment.