Merge pull request #300711 from andrewbrownmsft/docs-editor/device-update-rootkey-1748911071

Update device-update-rootkey.md

Author: denrea

articles/iot-hub-device-update/device-update-rootkey.md

@@ -11,44 +11,33 @@ ms.subservice: device-update
 
 # How to prepare for the rotation of a Device Update for IoT Hub root key
 
-Learn about Device Update for IoT Hub root key rotation, and what you may need to do to prepare.
+Learn about Device Update for IoT Hub root key rotations, and what you need to do to prepare.
 
 ## Understand Device Update for IoT Hub security and how root keys are used
 
 Before learning about the Device Update root key rotation process, learn about root keys by visiting the [Device Update security model](device-update-security.md) page.
 
-## Upcoming root key rotation in August 2025
+## Root key rotation schedule change
 
-On **August 26, 2025**, the Device Update for IoT Hub service will rotate ADU.200702.R, the root key currently being used for validating signing keys associated with update manifests. The rotation of that key means that the Device Update service will stop signing imported content with a key that chains up to ADU.200702.R, and begin signing using a key that chains up to ADU.200703.R.
+The Device Update for IoT Hub team was previously planning to rotate ADU.200702.R, the root key currently being used for validating signing keys associated with update manifests, on August 26, 2025. The rotation of that key would have meant that the Device Update service would stop signing imported content with a key that chains up to ADU.200702.R. Then, the service would have started signing using a key that chains up to ADU.200703.R.
 
-### Potential impact
+Based on feedback from our customers on the impact of this change, the Device Update for IoT Hub team is postponing the August 2025 rotation. This will give customers more time to be ready for the rotation. Once a new date is available for this rotation event, it will be announced at least one year in advance.
 
-After August 26, any content that you've imported into your Device Update instance _before_ August 26 will remain signed with ADU.200702.R, and nothing will change about deploying it to your devices.
+## How to validate if your devices are ready for a future rotation or revocation
 
-Any content imported _after_ August 26 will be signed with ADU.200703.R. By default, all supported versions of the reference Device Update Agent have both ADU.200702.R and ADU.200703.R. This means that if you haven't modified the Device Update Agent code, any content signed with ADU.200703.R can be deployed to your devices, and no action is required.
+If you haven’t tested the ADU.200703.R root key that will be used after the eventual rotation, doing so as soon as possible is recommended. In the unlikely case of a malicious actor being able to exploit the current ADU.200702.R root key before a scheduled rotation, the Device Update team would immediately revoke the ADU.200702.R root key and begin signing with ADU.200703.R root key. Confirming via testing that your devices currently support the ADU.200703.R root key means the impact of this scenario is minimized.
 
-If ADU.200703.R _isn't_ on your devices for some reason - such as if you created your own Device Update Agent and didn't include both keys - **content that you import after August 26 will not be able to be deployed to those devices**. In that case, you can choose one of the following options to do before August 26:
-- Update your devices to [Device Update Agent version 1.1.0 or later](https://github.com/Azure/iot-hub-device-update/releases/tag/1.1.0). Agent versions 1.1.0 and later include the capability to _automatically_ retrieve the latest root key, meaning rotation events including the one on August 26 won't require any action from you.
-- Update your devices to just add ADU.200703.R, without updating to a different Device Update Agent version.
+The Device Update team created a test mechanism to validate if your devices can receive content signed with ADU.200703.R. Instructions:
 
->[!NOTE] 
->If you want to use Device Update for IoT Hub to perform either option 1 or option 2, **you must import those updates before August 26**. Otherwise you'll need to update your devices using another process so that they will have ADU.200703.R and be able to get new content from the Device Update service again.
+1. Download a [special test file](https://a.b.nlu.dl.adu.microsoft.com/swedencentral/testfiles/root-key-test-update.txt). This exact file _must_ be used, because the Device Update service looks for the file hash at import time. The matching file hash in your import manifest should be: **KGyJ9tM6JSLHQq0gdKUmsVvB6Y4z0pMKdQNAd8jTGH0=**
 
-## How to validate if your devices are impacted
+1. [Create an update](create-update.md) for your testing. You can use any files you'd like, but you must also include the special test file in your import manifest. A best practice is for your update to change the device in a way that's easy to verify, like changing the version number of a file or adding a new file.
 
-The Device Update team created a test mechanism to validate if your devices can receive content signed with ADU.200703.R. You can use this at any time before the August 26 rotation. Instructions:
-1. Download a [special test file](https://a.b.nlu.dl.adu.microsoft.com/swedencentral/testfiles/root-key-test-update.txt). This exact file _must_ be used, because the Device Update service will look for the file hash at import time. The matching file hash in your import manifest should be: **KGyJ9tM6JSLHQq0gdKUmsVvB6Y4z0pMKdQNAd8jTGH0=**
-
-2. [Create an update](create-update.md) to test with. You can use any file(s) you'd like, but you must also include the special test file in your import manifest. It's recommended that your update change the devices in a way that's easy to verify later (such as changing the version number on a file, or adding a new file that wasn't on the device).
 3. Import and deploy the update to your devices just like you normally would.
-4. Verify that the update succeeded on your devices. If it did, your devices can receive updates signed with ADU.200703.R and are ready for the August 26 rotation.
-
-## Take action now for future root key rotations or revocations
-
-By policy, Device Update for IoT Hub will rotate root keys every 2.5 years. However, if a security breach were to occur, it might be necessary to _revoke_ a root key at an unscheduled time and with little advance warning. To prepare for future rotations as well as the possibility of a revocation, a new root key will soon be made available. An announcement will be made on this page and via e-mail to Azure subscription owners with instructions once the key is available. 
+1. Verify that the update succeeded on your devices. If it did, your devices can receive updates signed with ADU.200703.R and are ready for the next rotation (or possible revocation).
 
->[!NOTE] 
->It's strongly recommended to adopt Device Update Agent version 1.1.0 or later, which will automatically obtain all future root keys for your devices as needed, including during a revocation event. If you are unable to adopt Device Update Agent version 1.1.0 or later, plan to update your devices to add the new root key once available as quickly as possible before August 26, 2025, so two valid root keys will be available on your devices after the August 26 rotation.
+> [!NOTE]
+> Adopting [Device Update Agent version 1.1.0 or later](https://github.com/Azure/iot-hub-device-update/releases) is strongly recommended, which will automatically obtain all future root keys for your devices as needed, including during a revocation event.
 
 ## More information