ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-220 All Questions

View all questions & answers for the AZ-220 exam
Go to Exam

Exam AZ-220 topic 2 question 2 discussion

Actual exam question from Microsoft's AZ-220
Question #: 2
Topic #: 2
[All AZ-220 Questions]

You have 10,000 IoT devices that connect to an Azure IoT hub. The devices do not support over-the-air (OTA) updates.
You need to decommission 1,000 devices. The solution must prevent connections and autoenrollment for the decommissioned devices.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A. Update the connectionState device twin property on all the devices.
  • B. Blacklist the X.509 root certification authority (CA) certificate for the enrollment group.
  • C. Delete the enrollment entry for the devices.
  • D. Remove the identity certificate from the hardware security module (HSM) of the devices.
  • E. Delete the device identity from the device registry of the IoT hub.
Show Suggested Answer Hide Answer
Suggested Answer: CE 🗳️
In general, deprovisioning a device involves two steps:
✑ Disenroll the device from your provisioning service, to prevent future auto-provisioning. Depending on whether you want to revoke access temporarily or permanently, you may want to either disable or delete an enrollment entry.
✑ Deregister the device from your IoT Hub, to prevent future communications and data transfer. Again, you can temporarily disable or permanently delete the device's entry in the identity registry for the IoT Hub where it was provisioned.
Reference:
https://docs.microsoft.com/en-us/azure/iot-dps/how-to-unprovision-devices
by bob2Be at July 3, 2020, 12:13 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
bob2Be
Highly Voted 5 years, 1 month ago
Should not hte answer be C & E. The question asks for stopping the auto enrollment for 1000 devices out of the 10,000
upvoted 19 times
getazusername
4 years, 8 months ago
Yes, you need first to disconnect them and then prevent it from enrollment.
upvoted 4 times
...
...
FacuTheRock
Highly Voted 4 years, 9 months ago
I think correct answers should be C and E. The statement says "MUST PREVENT CONNECTIONS AND AUTO-ENROLLMENT". By deleting the enrollment entry, we are preventing devices from auto-enrolling but not from connecting. That's why we need also to delete their identities in the Identity Registry - Blacklisting the Root certificate would impact on the 10k devices, and we only want to disallow 1k devices. Even when we can create intermmediate certificates to disallow certain path in the chain, that option is not listed, and Option B clearly mentions ROOT CERTIFICATE, so I dont agree with option B
upvoted 13 times
tedsi
4 years, 8 months ago
I agree that this is correct. You don't want to affect the remaining devices - so can't blacklist. And since this is a permanent removal, disenroll and deregistration is the right process.
upvoted 5 times
...
...
liberty123
Most Recent 3 years, 4 months ago
Selected Answer: CE
Agree with CE
upvoted 1 times
...
kokosek
4 years, 4 months ago
For me, B is a wrong answer. It's required do deprovision 1000 of 10000 devies. Blacklisting root certificate seems like it will disable enrollments with other intermediate/leaf certificates chained to that root cert. There is a possibility, that other devices require that root cert, so doing that may cause issues in real life scenario.
upvoted 3 times
...
BoomJosh
4 years, 4 months ago
Appeared for exam on 3/24/2021 and successfully cleared it, this question was there.
upvoted 3 times
...
LiamRT
4 years, 6 months ago
To deprovision a device that has an individual enrollment: 1. Disenroll the device from your provisioning service 2. Disable or delete the device in the identity registry of the IoT hub that it was provisioned to. https://docs.microsoft.com/en-us/azure/iot-dps/how-to-unprovision-devices C & E it seems.
upvoted 8 times
...
ipindado2020
4 years, 8 months ago
Agree on BC
upvoted 1 times
ipindado2020
4 years, 8 months ago
Changed my mind to CE
upvoted 5 times
...
...
rjdask
4 years, 9 months ago
Confusion here seems to be surrounding the term: blacklist. Given answer is correct. The documentation actually states this as being "disallowed". X.509 certificates are typically arranged in a certificate chain of trust. If a certificate at any stage in a chain becomes compromised, trust is broken. "The certificate must be disallowed to prevent Device Provisioning Service from provisioning devices downstream in any chain that contains that certificate. To learn more about X.509 certificates and how they are used with the provisioning service, see X.509 certificates." https://docs.microsoft.com/en-us/azure/iot-dps/how-to-revoke-device-access-portal
upvoted 1 times
...
angelsrp
5 years ago
Correct ans are BC: Deprovisioning process: -Disenrollment (Blacklist individual devices or an enrollment group -Deregister (Delete de device enrollment entries)
upvoted 3 times
...
thestillheron
5 years ago
Guidance for this scenario has changed. To blacklist specific devices in an Enrollment group, without blacklisting the entire enrolment group, you can add the specific devices and their certificates as individually enrolled devices, and then disable them. DPS first checks individual enrolments. If it finds a match that is disabled, it will refuse the connection, even if a non-blacklisted match exists in group enrolments: https://docs.microsoft.com/en-us/azure/iot-dps/how-to-revoke-device-access-portal#blacklist-specific-devices-in-an-enrollment-group
upvoted 2 times
...
EyeeyeeyeeyeeyeeyeeyeeyeSPIDER
5 years ago
B & C is the correct answer - blacklist the cert or delete the enrollment group To blacklist the certificate, you can either disable or delete its enrollment group.
upvoted 3 times
...
Mardy
5 years, 1 month ago
I think it's B & E - https://docs.microsoft.com/en-us/azure/iot-dps/how-to-unprovision-devices
upvoted 4 times
redSandton
5 years ago
I also think B&E because there are 2 basic steps to disenroll an automatically provisioned device ,first blacklist the certificate/disable the enrollment group .secondly delete/disable the device entry in the IoT hub identity registry
upvoted 1 times
...
Bengkel
5 years ago
It states "For devices that use X.509 attestation, you may want to disable/delete an entry in the hierarchy of your existing enrollment groups". So this is not always mandatory. The page is clear Disenroll en Deregister = C & E
upvoted 5 times
...
niceguy0371
4 years, 11 months ago
I think it's B&E. 1st: The question is not clear if these 1.000 devices are in 1 enrollment group or if all 10,000 devices are in one enrollment group. 2nd: The question states that there are 10.000 devices and you only need to prevent 1000 devices for qutoenrollment. So, assuming that all the 10.000 devices are in the same enrollment group (because it's not specified), blacklisting the certificate affects all 10.000 devices. So, you have to delete the enrollment entries for the 10000 devices and delete the device identity from the device registry in the IoT hub. Just like preventing one single IoT device from autoenrollment
upvoted 2 times
niceguy0371
4 years, 11 months ago
I mean C&E off course
upvoted 8 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel