Provision the Microsoft Defender for IoT micro agent using DPS

This article explains how to provision the standalone Microsoft Defender for IoT micro agent using Azure IoT Hub Device Provisioning Service with X.509 certificate attestation.

To learn how to configure the Microsoft Defender for IoT micro agent for Edge devices see Create and provision IoT Edge devices at scale

Note

Defender for IoT plans to retire the micro agent on August 1, 2025.

Prerequisites

Provision

  1. In the Azure portal, go to your instance of the IoT Hub device provisioning service.

  2. Under Settings, select Manage enrollments.

  3. Select Add individual enrollment, and then complete the steps to configure the enrollment:

    • In the Mechanism field, select X.509 at the identity attestation Mechanism and choose your CA.
  4. Navigate into your destination IoT Hub.

  5. Create a new module issued by the same certificate.

  6. Configure the micro agent to use the created module (note that the device does not have to exist yet).

  7. Navigate back to DPS and provision the device through DPS.

  8. Navigate to the configured device in the destination IoT Hub.

  9. Create a new module for the device issued by the same CA authenticator.

  10. Run the agent that you configured in step 4 to confirm it connects to the device.

Note

When using this procedure, while you don't need the device to exist before configuring the agent, you do need to know the device name in advance in order to issue the certificate for the final module correctly.

Next steps

Configure Microsoft Defender for IoT agent-based solution

Configure pluggable Authentication Modules (PAM) to audit sign-in events (Preview)