Upload Windows Autopilot hardware hash easily

Retrieving the hardware hash for a new laptop or VM involves a few steps. Starting PowerShell, configuring the execution policy, installing the get-windowsautopilot script, answering a few prompts, and entering your credentials to upload it to your environment. In this blog post, I will show you a way to minimize the number of steps needed.

App registration

To avoid having to enter credentials during the process, you have to register an app in Azure. Follow these steps for that:

  • Go to App Registrations
  • Select New Registration
  • Enter “Autopilot Registration” as the name for example and select Register
  • Select API Permissions on the left side and select Add a permission
  • Select Microsoft Graph
  • Select Application permissions
  • Search for DeviceManagementServiceConfig.ReadWrite.All , select the checkbox and select Add Permissions
  • Select Grant admin consent for xxxxx.onmicrosoft.com and select Yes
  • Select Certificates & secrets on the left side and select New client secret
  • Enter “Autopilot Registration Secret” as a description, for example, select how long the client secret should be valid (I selected 24 months) and click Add
  • Select the copy icon behind the value column and copy it somewhere safe (A password manager or database)
  • Select Overview on the left side and copy the Application (client) ID plus the Directory (tenant) ID too and save them together with the value you copied in the previous step

Creating the scripts

Now that we have an application registration that we can use for authenticating, we can create two script files that you can put on a USB drive which you can launch and will take care of getting the hardware hash and uploading to your tenant. Copy the contents below and save them as autopilot.cmd and autopilot.ps1 for example on a USB drive. (I changed the IDs to xxxx, you need to replace them with the IDs which you saved when creating the app registration of course 🙂 )

Autopilot.cmd

powershell.exe -executionpolicy bypass -file .\autopilot.ps1

Autopilot.ps1

Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Confirm:$false -Force:$true
Install-Script get-windowsautopilotinfo -Confirm:$false -Force:$true
get-windowsautopilotinfo -Online -TenantId xxxx -AppId xxxx -AppSecret xxxx
shutdown.exe /s /t 10

Running the autopilot.cmd

When your device is on the first OOBE (Out Of Box Experience) screen, the one with the language selection, you can follow these steps:

  • Press Shift-F10 to get to a command prompt
  • Go to your USB drive by entering E: (This could be different in your case)
  • Enter “autopilot.cmd” to start the script

The autopilot.ps1 starts, installs the NuGet provider, downloads the get-windowsautopilot script, connects to the tenants using the app registration details, and uploads the hardware hash. When done, it does a shutdown of the system in ten seconds and your system is ready to go start an Autopilot installation!

The uploaded hardware hash in Endpoint Manager from my test tenant:

Adding a Group Tag

If you’re using Group tags for deployment profiles, you can add them to the script. Change the autopilot.ps1 on your USB drive to the one below: (Added the -GroupTag parameter, I used VMware as an example)

Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Confirm:$false -Force:$true
Install-Script get-windowsautopilotinfo -Confirm:$false -Force:$true
get-windowsautopilotinfo -Online -TenantId xxxx -AppId xxxx -AppSecret xxxx -GroupTag VMware
shutdown.exe /s /t 10