How to deprovision devices that were previously auto-provisioned

You may find it necessary to deprovision devices that were previously auto-provisioned through the Device Provisioning Service. For example, a device may be sold or moved to a different IoT hub, or it may be lost, stolen, or otherwise compromised.

In general, deprovisioning a device involves two steps:

1. Disenroll the device from your provisioning service to prevent future auto-provisioning. Depending on whether you want to revoke access temporarily or permanently, you can either disable or delete an enrollment entry. Для устройств, использующих аттестацию X.509, может потребоваться отключить или удалить запись в иерархии существующих групп регистрации.

   • To learn how to disenroll a device, see How to disenroll a device from Azure IoT Hub Device Provisioning Service.
   • To learn how to disenroll a device programmatically using one of the provisioning service SDKs, see Manage device enrollments with service SDKs.

2. Deregister the device from your IoT hub to prevent future communications and data transfer. Again, you can temporarily disable or permanently delete the device's entry in the identity registry for the IoT Hub where it was provisioned. See Disable devices to learn more about disablement.

The exact steps you take to deprovision a device depend on its attestation mechanism and its applicable enrollment entry with your provisioning service. В следующих разделах представлен обзор процесса на основе типа регистрации и аттестации.

Individual enrollments

Devices that use TPM attestation or X.509 attestation with a leaf certificate are provisioned through an individual enrollment entry.

To deprovision a device that has an individual enrollment:

1. Disenroll the device from your provisioning service:

   • For devices that use TPM attestation, delete the individual enrollment entry to permanently revoke the device's access to the provisioning service, or disable the entry to temporarily revoke its access.
   • Для устройств, использующих аттестацию X.509, можно удалить или отключить запись. Учтите, однако, что если удалить отдельную запись о регистрации для устройства, использующего X.509, и включенная группа регистрации существует для сертификата подписи в цепочке сертификатов этого устройства, устройство может пройти повторную регистрацию. Для таких устройств может быть безопаснее отключить процесс регистрации. Это предотвращает повторную регистрацию устройства независимо от того, существует ли включенная группа регистрации для одного из сертификатов подписи.

2. Disable or delete the device in the identity registry of the IoT hub that it was provisioned to.

Enrollment groups

With X.509 attestation, devices can also be provisioned through an enrollment group. Enrollment groups are configured with a signing certificate, either an intermediate or root CA certificate, and control access to the provisioning service for devices with that certificate in their certificate chain. To learn more about enrollment groups and X.509 certificates with the provisioning service, see X.509 certificate attestation.

To see a list of devices that have been provisioned through an enrollment group, you can view the enrollment group's details. This is an easy way to understand which IoT hub each device has been provisioned to. Чтобы просмотреть список устройств, выполните следующие действия.

1. Sign in to the Azure portal and navigate to your provisioning service.

2. Select Manage enrollments, then select the Enrollment groups tab.

3. Выберите группу регистрации, чтобы открыть подробности.

4. Select Details to view the registration records for the enrollment group.

   

With enrollment groups, there are two scenarios to consider:

• To deprovision all of the devices that have been provisioned through an enrollment group:

  1. Disable the enrollment group to disallow its signing certificate.

  2. Use the list of provisioned devices for that enrollment group to disable or delete each device from the identity registry of its respective IoT hub.

  3. After disabling or deleting all devices from their respective IoT hubs, you can optionally delete the enrollment group. Be aware, though, that if you delete the enrollment group and there is an enabled enrollment group for a signing certificate higher up in the certificate chain of one or more of the devices, those devices can re-enroll.

     Примечание.

     Удаление группы регистрации не удаляет записи регистрации для устройств в группе. DPS использует регистрационные записи, чтобы определить, достигнуто ли максимальное количество регистраций для конкретного экземпляра DPS. Потерянные записи регистрации по-прежнему учитываются в этой квоте. For the current maximum number of registrations supported for a DPS instance, see Quotas and limits.

     You may want to delete the registration records for the enrollment group before deleting the enrollment group itself. You can see and manage the registration records for an enrollment group manually on the registration status page for the group in the Azure portal. Or, you can retrieve and manage the registration records programmatically using the Device Registration State REST APIs or equivalent APIs in the DPS service SDKs, or using the az iot dps enrollment-group registration Azure CLI commands.

• To deprovision a single device from an enrollment group:

  1. Создайте отключенную индивидуальную регистрацию для устройства.

     • If you have the device (end-entity) certificate, you can create a disabled X.509 individual enrollment.
     • Если у вас нет сертификата устройства, вы можете создать индивидуальную регистрацию с отключенным симметричным ключом на основе идентификатора устройства в регистрационной записи этого устройства.

     To learn more, see Disallow specific devices in an enrollment group.

     The presence of a disabled individual enrollment for a device revokes access to the provisioning service for that device while still permitting access for other devices that have the enrollment group's signing certificate in their chain. Do not delete the disabled individual enrollment for the device. Doing so will allow the device to re-enroll through the enrollment group.

  2. Use the list of provisioned devices for that enrollment group to find the IoT hub that the device was provisioned to and disable or delete it from that hub's identity registry.