| title | Create and provision IoT Edge devices using symmetric keys on Linux on Windows |
|---|---|
| description | Use symmetric key attestation to test provisioning Linux on Windows devices at scale for Azure IoT Edge with device provisioning service |
| author | sethmanheim |
| ms.author | sethm |
| ms.date | 06/06/2025 |
| ms.topic | how-to |
| ms.service | azure-iot-edge |
| ms.custom | linux-related-content |
| services | iot-edge |
[!INCLUDE iot-edge-version-all-supported]
This article shows how to autoprovision one or more IoT Edge for Linux on Windows devices using symmetric keys. Automatically provision Azure IoT Edge devices with the Azure IoT Hub device provisioning service (DPS). If you're unfamiliar with the process of autoprovisioning, review the provisioning overview before continuing.
Here are the tasks:
- Create either an individual enrollment for a single device or a group enrollment for a set of devices.
- Deploy a Linux virtual machine with the IoT Edge runtime installed and connect it to the IoT Hub.
Symmetric key attestation is a simple way to authenticate a device with a device provisioning service instance. This attestation method is a "Hello world" experience for developers who are new to device provisioning or don't have strict security requirements. Device attestation using a TPM or X.509 certificates is more secure, and you should use it for more stringent security requirements.
[!INCLUDE iot-edge-prerequisites-at-scale-cloud-resources.md]
[!INCLUDE iot-edge-prerequisites-linux-on-windows.md]
[!INCLUDE iot-edge-create-dps-enrollment-symmetric.md]
[!INCLUDE install-iot-edge-linux-on-windows.md]
After you install the runtime on your device, configure the device with the information it uses to connect to the device provisioning service and IoT Hub.
Make sure you have the following information:
- The DPS ID Scope value
- The device Registration ID you created
- The Primary Key from an individual enrollment, or a derived key for devices using a group enrollment.
Run the following command in an elevated PowerShell session with the placeholder values updated with your own values:
Provision-EflowVm -provisioningType DpsSymmetricKey -scopeId PASTE_YOUR_ID_SCOPE_HERE -registrationId PASTE_YOUR_REGISTRATION_ID_HERE -symmKey PASTE_YOUR_PRIMARY_KEY_OR_DERIVED_KEY_HERECheck that IoT Edge for Linux on Windows is installed and set up on your IoT Edge device.
Check that the individual enrollment you created in device provisioning service is used. Go to your device provisioning service instance in the Azure portal. Open the enrollment details for the individual enrollment you created. The status of the enrollment is assigned, and the device ID is listed.
Check that the group enrollment you created in device provisioning service is used. Go to your device provisioning service instance in the Azure portal. Open the enrollment details for the group enrollment you created. Go to the Registration Records tab to view all devices registered in that group.
-
Sign in to your IoT Edge for Linux on Windows virtual machine using the following command in your PowerShell session:
Connect-EflowVm[!NOTE] The only account allowed to SSH to the virtual machine is the user that created it.
-
Once you're logged in, you can check the list of running IoT Edge modules using the following Linux command:
sudo iotedge list
-
If you need to troubleshoot the IoT Edge service, use the following Linux commands.
-
Retrieve the service logs.
sudo iotedge system logs
-
Use the
checktool to verify configuration and connection status of the device.sudo iotedge check
[!NOTE] On a newly provisioned device, you may see an error related to IoT Edge Hub:
× production readiness: Edge Hub's storage directory is persisted on the host filesystem - Error
Could not check current state of edgeHub container
This error is expected on a newly provisioned device because the IoT Edge Hub module isn't running. To fix the error, in IoT Hub, set the modules for the device and create a deployment. Creating a deployment for the device starts the modules on the device, including the IoT Edge Hub module.
-
When you create a new IoT Edge device, it shows the status code 417 -- The device's deployment configuration is not set in the Azure portal. This status is normal and means the device is ready to receive a module deployment.
[!INCLUDE uninstall-iot-edge-linux-on-windows.md]
The device provisioning service enrollment process lets you set the device ID and device twin tags when you provision a new device. Use those values to target individual devices or groups of devices with automatic device management. Learn how to deploy and monitor IoT Edge modules at scale using the Azure portal or using Azure CLI.
You can also:
- Continue to deploy IoT Edge modules to learn how to deploy modules onto your device.
- Learn how to manage certificates on your IoT Edge for Linux on Windows virtual machine and transfer files from the host OS to your Linux virtual machine.
- Learn how to configure your IoT Edge devices to communicate through a proxy server.