For zero-touch provisioning of devices at scale using device configuration templates by device type, a secure element, a provisioning wizard, a provisioning client, an enrollment client, an update client, an enrollment service, an update publisher service, signing and encryption certificates, a method including generating device configuration templates for enrollment and update by device type, sending device configuration templates signed with a device owner signing certificate, and a device owner encryption certificate to the device manufacturer, generating a device configuration for a device based on the device configuration templates using a secure element on the device for immutable device identity, an extended configuration for the device, signing the device configuration with a device manufacturer signing certificate and a secure element signing certificate, encrypting the doubly signed device configuration with an owner encryption certificate, configuring bootstrap metadata, and configuring the device provisioning client to autostart at power-on for device enrollment and update.