Thanks Kodjo! Yes, very good question. Basically you can export the public part of the Root Certificate from the Keyvault and register it with DPS (Group enrollment with x509) or the IoT Hub. After that, your devices will be able to use certs issued by the KaeyVault CA (signed by your Root CA) to provision through DPS and to connect to IoT Hub. I am planning on releasing part two demonstrating exactly this.