Refinements

Author: micahl

articles/iot-edge/how-to-provision-devices-at-scale-linux-tpm.md

@@ -50,7 +50,7 @@ The tasks are as follows:
 
 # [Physical device](#tab/physical-device)
 
-A physical Linux device to be the IoT Edge device.
+A physical Linux device to be the IoT Edge device. This article assumes ownership of the TPM has been taken already and the endorsement key (EK) and storage root key (SRK) have been persisted. Follow the instructions relevant to your system to take ownership.
 
 # [Virtual machine](#tab/virtual-machine)
 
@@ -156,6 +156,7 @@ In this section, you build a tool that you can use to retrieve the registration
    make
    sudo ./tpm_device_provision
    ```
+
 1. The output window displays the device's **Registration ID** and the **Endorsement key**. Copy these values for use later when you create an individual enrollment for your device in the device provisioning service.
 
 :::moniker-end
@@ -178,7 +179,7 @@ In this section, you use the TPM2 software tools to retrieve the endorsement key
 
       ```bash
       tpm2_readpublic -Q -c 0x81010001 -o ek.pub
-      printf "Gathering the registration information...\n\nRegistration Id:\n%s\n\nEndorsement Key:\n%s\n" $(sha256sum -b ek.pub | cut -d' ' -f1) $(base64 -w0 ek.pub)
+      printf "Gathering the registration information...\n\nRegistration Id:\n%s\n\nEndorsement Key:\n%s\n" $(sha256sum -b ek.pub | cut -d' ' -f1 | base32 -w0 | sed -e 's/[^[:alnum:]]//g' | base32 -d -i 2> /dev/null | sed -e 's/(.*)/L1/g') $(base64 -w0 ek.pub)
       ```
 
    1. The output window displays the device's **Registration ID** and the **Endorsement key**. Copy these values for use later when you create an individual enrollment for your device in the device provisioning service.
@@ -195,7 +196,7 @@ In this section, you use the TPM2 software tools to retrieve the endorsement key
 
       ```bash
       tpm2_readpublic -Q -c 0x81010001 -o ek.pub
-      printf "Gathering the registration information...\n\nRegistration Id:\n%s\n\nEndorsement Key:\n%s\n" $(sha256sum -b ek.pub | cut -d' ' -f1) $(base64 -w0 ek.pub)
+      printf "Gathering the registration information...\n\nRegistration Id:\n%s\n\nEndorsement Key:\n%s\n" $(sha256sum -b ek.pub | cut -d' ' -f1 | base32 -w0 | sed -e 's/[^[:alnum:]]//g' | base32 -d -i 2> /dev/null | sed -e 's/(.*)/L1/g') $(base64 -w0 ek.pub)
       ```
 
    1. The output window displays the device's **Registration ID** and the **Endorsement key**. Copy these values for use later when you create an individual enrollment for your device in the device provisioning service.
@@ -211,6 +212,11 @@ In this section, you use the TPM2 software tools to retrieve the endorsement key
 
 After you have your registration ID and endorsement key, you're ready to continue.
 
+> [!NOTE]
+> The Device Provisioning Service only uses the public part of the EK (EK_pub) to identify and enroll devices. It does not check the SRK or owner, so "clearing" the SRK to transfer ownership erases customer data, but the EK (and other vendor data) is preserved and the device will still be recognized by the Device Provisioning Service when it connects to provision.
+>
+> For an overview of the provisioning process with DPS see the documentation on [TPM attestation](../iot-dps/concepts-tpm-attestation.md).
+
 <!-- Create an enrollment for your device using TPM provisioning information H2 and content -->
 [!INCLUDE [tpm-create-a-device-provision-service-enrollment.md](../../includes/tpm-create-a-device-provision-service-enrollment.md)]