diff --git a/src/routes/provision.js b/src/routes/provision.js
index 19c7d6dc4..5253d4f0e 100644
--- a/src/routes/provision.js
+++ b/src/routes/provision.js
@@ -2,6 +2,7 @@
 
 exports = module.exports = {
     providerTokenAuth,
+    verifyUnprovisioned,
     setup,
     activate,
     restore,
@@ -34,6 +35,13 @@ function setupTokenAuth(req, res, next) {
     return next();
 }
 
+async function verifyUnprovisioned(req, res, next) {
+    const activated = await users.isActivated();
+    if (activated) return next(new HttpError(405, 'route unavailable post activation'));
+
+    next();
+}
+
 async function providerTokenAuth(req, res, next) {
     assert.strictEqual(typeof req.body, 'object');
 
@@ -136,9 +144,6 @@ async function getStatus(req, res, next) {
 }
 
 async function getBlockDevices(req, res, next) {
-    const activated = await users.isActivated();
-    if (activated) throw new BoxError(BoxError.NOT_ALLOWED, 'Only available during restore.');
-
     const [error, devices] = await safe(system.getBlockDevices());
     if (error) return next(new HttpError(500, error));
 
diff --git a/src/server.js b/src/server.js
index 89f734e19..25845d089 100644
--- a/src/server.js
+++ b/src/server.js
@@ -81,10 +81,12 @@ async function initializeExpressSync() {
     const authorizeUser = routes.accesscontrol.authorize(users.ROLE_USER);
 
     // boostrapping/provision routes
-    router.post('/api/v1/provision/setup',    json, routes.provision.setupTokenAuth, routes.provision.providerTokenAuth, routes.provision.setup);    // only available until no-domain
-    router.post('/api/v1/provision/restore',  json, routes.provision.setupTokenAuth, routes.provision.restore);    // only available until activated
-    router.post('/api/v1/provision/activate', json, routes.provision.setupTokenAuth, routes.provision.activate);
-    router.get ('/api/v1/provision/block_devices',  routes.provision.getBlockDevices);
+    const setupTokenAuth = routes.provision.setupTokenAuth;
+    const verifyUnprovisioned = routes.provision.verifyUnprovisioned;
+    router.post('/api/v1/provision/setup',    json, verifyUnprovisioned, setupTokenAuth, routes.provision.providerTokenAuth, routes.provision.setup);
+    router.post('/api/v1/provision/restore',  json, verifyUnprovisioned, setupTokenAuth, routes.provision.restore);
+    router.post('/api/v1/provision/activate', json, verifyUnprovisioned, setupTokenAuth, routes.provision.activate);
+    router.get ('/api/v1/provision/block_devices',  verifyUnprovisioned, routes.provision.getBlockDevices);
     router.get ('/api/v1/provision/status',         routes.provision.getStatus);
 
     // auth routes