Merge pull request #222129 from miashapan/dmi-decoder

liljack17 · web-flow · commit 90e2ada3c55d · 2022-12-26T08:18:03.000-08:00
DMI decoder + provision fixes + TOC
diff --git a/articles/defender-for-iot/device-builders/TOC.yml b/articles/defender-for-iot/device-builders/TOC.yml
@@ -70,12 +70,16 @@
   - name: Configure Microsoft Defender for IoT agent-based solution
     displayName: data, collection, geolocation, log analytics, raw events
     href: how-to-configure-agent-based-solution.md
+  - name: How to configure the DMI Decoder
+    href: how-to-configure-dmi-decoder.md
   - name: Investigate CIS benchmark recommendation
     href: how-to-investigate-cis-benchmark.md
   - name: Configure a micro agent twin
     href: how-to-configure-micro-agent-twin.md
   - name: Configure PAM to audit sign-in events
     href: configure-pam-to-audit-sign-in-events.md
+  - name: Provision micro agent using DPS 
+    href: how-to-provision-micro-agent.md
   - name: Create custom alerts
     displayName: security group
     href: quickstart-create-custom-alerts.md
diff --git a/articles/defender-for-iot/device-builders/how-to-configure-dmi-decoder.md b/articles/defender-for-iot/device-builders/how-to-configure-dmi-decoder.md
@@ -0,0 +1,79 @@
+---
+title: How to configure the DMI Decoder
+description: Learn how to configure your DMI decoder on your device, or use other alternatives. 
+ms.date: 12/22/2022
+ms.topic: how-to
+---
+
+# DMI Decoder configurations
+
+This article explains how to configure the DMI decoder, and alternative configurations for devices that do not support it.
+
+## Overview
+
+The Microsoft Defender for IoT **Device inventory** provides an overview of all IoT devices in your environment. The device inventory table can be customized to your preferences by adding or removing information fields, and filtering the fields.
+
+The DMI decoder is used to retrieve data on the hardware and firmware of the device.
+
+Retrieved fields are:
+
+- Firmware vendor
+- Firmware version
+- Hardware model
+- Hardware serial number
+- Hardware vendor
+
+For more information on the DMI Decoder, see [dmidecode(8): DMI table decoder - Linux man page (die.net)](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinux.die.net%2Fman%2F8%2Fdmidecode&data=05%7C01%7Cmiashapan%40microsoft.com%7C07f0384fdcf14dd8cdb808dae0be41a4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638069405000113003%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FSFH0ALDDf6OPMsXW99gEP%2Bvu%2F1eIXyunIQth682NbQ%3D&reserved=0).
+
+## Populate SMBIOS tables for dmidecode
+
+To support dmidecode(8), SMBIOS tables needs to be present and valid.
+To implement, please refer to the [System Management BIOS specifications](https://lwn.net/Articles/451967/).
+
+## Alternative configurations
+
+For devices that do not support the DMI decoder, there are two alternative options for retrieving and setting the firmware and hardware fields.
+
+### JSON file
+
+To manually set the values on the device, create a JSON file. The micro agent will read the values from the JSON file and send them to the cloud.
+
+To configure the file, use the following path and format details:
+
+- Path:
+
+    ```bash
+        /etc/defender_iot_micro_agent/sysinfo.json
+    ```
+
+- Format:
+
+```bash
+        "HardwareVendor": "<hardware vendor>", 
+        "HardwareModel": "<hardware model>",
+        "HardwareSerialNumber": "<hardware serial number>", 
+        "FirmwareVendor": "<firmware vendor>", 
+        "FirmwareVersion": "<firmware version>"
+```
+
+### Module twin configurations
+
+To manually set the values on the cloud, use the module twin configuration by setting the following properties:
+
+```bash
+    “properties”:{
+        “desired”:{
+                    “SystemInformation_HardwareVendor”: ”<data>”,
+                    “SystemInformation_HardwareModel”: ”<data>”,
+                    “SystemInformation_FirmwareVendor”: ”<data>”,
+                    “SystemInformation_ FirmwareVersion”: ”<data>”,
+                    “SystemInformation_HardwareSerialNumber”: ”<data>”
+        }
+    }              
+```
+
+## Next steps
+
+> [Configure Microsoft Defender for IoT agent-based solution](tutorial-configure-agent-based-solution.md)
+
+> [Configure pluggable Authentication Modules (PAM) to audit sign-in events (Preview)](configure-pam-to-audit-sign-in-events.md)
diff --git a/articles/defender-for-iot/device-builders/how-to-provision-micro-agent.md b/articles/defender-for-iot/device-builders/how-to-provision-micro-agent.md
@@ -0,0 +1,44 @@
+---
+title: Provision the Microsoft Defender for IoT micro agent using DPS
+description: Learn how to provision the Microsoft Defender for IoT micro agent using DPS. 
+ms.date: 12/22/2022
+ms.topic: how-to
+---
+
+# Provision the Microsoft Defender for IoT micro agent using DPS
+
+This article explains how to provision the standalone Microsoft Defender for IoT micro agent using [Azure IoT Hub Device Provisioning Service](../../iot-dps/about-iot-dps.md) with [X.509 certificate attestation](../../iot-dps/concepts-x509-attestation.md).
+
+To learn how to configure the Microsoft Defender for IoT micro agent for Edge devices see [Create and provision IoT Edge devices at scale]../../iot-edge/how-to-provision-devices-at-scale-linux-tpm.md).
+
+## Prerequisites
+
+- An Azure account with an active subscription. [Create an account for free]https://azure.microsoft).
+
+- An [IoT hub](../../iot-hub/iot-hub-create-through-portal.md).
+
+- [IoT Hub Device Provisioning Service](../../iot-dps/quick-setup-auto-provision.md).
+
+## Provision
+
+1. In the [Azure portal](https://portal.azure.com), go to your instance of the IoT Hub device provisioning service.
+
+1. Under Settings, select Manage enrollments.
+1. Select Add individual enrollment, and then complete the steps to configure the enrollment:
+    1. Choose X.509 at the identity attestation Mechanism and choose your CA.
+1. Navigate into your destination IoT Hub.
+1. Create a new module issued by the same certificate.
+1. Configure the micro agent to use the created module (Note that the device does not have to exist yet).
+1. Navigate back to DPS and provision the device through DPS.
+1. Navigate to the configured device in the destination IoT Hub.
+1. Create a new module for the device issued by the same CA authenticator.
+1. Run the agent that you configured in step 4 to see it connects to the device.
+
+> [!NOTE]
+> Using this procedure, while you don't need the device to exists before configuring the agent, you do need to know the device name in advance in order to issue the certificate for the final module correctly.
+
+## Next steps
+
+> [Configure Microsoft Defender for IoT agent-based solution](tutorial-configure-agent-based-solution.md)
+
+> [Configure pluggable Authentication Modules (PAM) to audit sign-in events (Preview)](configure-pam-to-audit-sign-in-events.md)
