Add more references to DPS guidance docs

micahl · micahl · commit e09c5bae1577 · 2022-09-23T17:58:38.000-07:00
diff --git a/articles/iot-edge/how-to-create-iot-edge-device.md b/articles/iot-edge/how-to-create-iot-edge-device.md
@@ -148,15 +148,15 @@ This authentication method is faster to get started but not as secure. Device pr
 
 ### X.509 certificate attestation
 
-Using X.509 certificates as an attestation mechanism is an excellent way to scale production and simplify device provisioning. Typically, X.509 certificates are arranged in a certificate chain of trust. Starting with a self-signed or trusted root certificate, each certificate in the chain signs the next lower certificate. This pattern creates a delegated chain of trust from the root certificate down through each intermediate certificate to the final "leaf" certificate installed on a device.
+Using X.509 certificates as an attestation mechanism is the recommended way to scale production and simplify device provisioning. Typically, X.509 certificates are arranged in a certificate chain of trust. Starting with a self-signed or trusted root certificate, each certificate in the chain signs the next lower certificate. This pattern creates a delegated chain of trust from the root certificate down through each intermediate certificate to the final "leaf" certificate installed on a device.
 
 You create two X.509 identity certificates and place them on the device. When you create a new device identity in IoT Hub, you provide thumbprints from both certificates. When the device authenticates to IoT Hub, it presents one certificate and IoT Hub verifies that the certificate matches its thumbprint.
 
 This authentication method is more secure than symmetric keys and is recommended for production scenarios.
 
 ### Trusted platform module (TPM) attestation
 
-Using TPM attestation is the most secure method for device provisioning, as it provides authentication features in both software and hardware. Each TPM chip uses a unique endorsement key to verify its authenticity.
+Using TPM attestation is a method for device provisioning that uses authentication features in both software and hardware. Each TPM chip uses a unique endorsement key to verify its authenticity.
 
 TPM attestation is only available for provisioning at-scale with DPS, and only supports individual enrollments not group enrollments. Group enrollments aren't available because of the device-specific nature of TPM.
 
diff --git a/articles/iot-edge/how-to-provision-devices-at-scale-linux-tpm.md b/articles/iot-edge/how-to-provision-devices-at-scale-linux-tpm.md
@@ -52,6 +52,8 @@ The tasks are as follows:
 
 A physical Linux device to be the IoT Edge device.
 
+If you are a device manufacturer then refer to guidance on [integrating a TPM into the manufacturing process](../iot-dps/concepts-device-oem-security-practices.md#integrating-a-tpm-into-the-manufacturing-process).
+
 This article assumes ownership of the TPM has been taken already and the endorsement key (EK) and storage root key (SRK) have been persisted. Follow the instructions relevant to your system to take ownership.
 
 # [Virtual machine](#tab/virtual-machine)
@@ -167,7 +169,7 @@ In this section, you build a tool that you can use to retrieve the registration
 <!-- iotedge-1.4 -->
 :::moniker range=">=iotedge-1.4"
 
-In this section, you use the TPM2 software tools to retrieve the endorsement key for your TPM and then generate a unique registration ID.
+In this section, you use the TPM2 software tools to retrieve the endorsement key for your TPM and then generate a unique registration ID. This section corresponds with [Step 3: Device has firmware and software installed](../iot-dps/concepts-device-oem-security-practices.md#step-3-device-has-firmware-and-software-installed) in the process for [integrating a TPM into the manufacturing process](../iot-dps/concepts-device-oem-security-practices.md#integrating-a-tpm-into-the-manufacturing-process).
 
 > [!NOTE]
 > This article previously used the `tpm_device_provision` tool from the IoT C SDK to generate provisioning info. If you relied on that tool previously, then be aware the steps below generate a different registration ID for the same public endorsement key. If you need to recreate the registration ID as before then refer to how the C SDK's [tpm_device_provision tool](https://github.com/Azure/azure-iot-sdk-c/tree/main/provisioning_client/tools/tpm_device_provision) generates it. Be sure the registration ID for the individual enrollment in DPS matches the regisration ID the IoT Edge device is configured to use.
