Retrieving the hardware hash for a new laptop or VM involves a few steps. Starting PowerShell, configuring the execution policy, installing the get-windowsautopilot script, answering a few prompts, and entering your credentials to upload it to your environment. In this blog post, I will show you how to minimize the number of steps needed.
To avoid entering credentials during the process, you must register an app in Azure. Follow these steps for that:
- Go to App Registrations
- Select New Registration
- Enter “Autopilot Registration” as the name, and select Register.
- Select API Permissions on the left side and select Add a permission
- Select Microsoft Graph
- Select Application permissions
- Search for DeviceManagementServiceConfig.ReadWrite.All, select the checkbox and select Add Permissions.
- Select Grant admin consent for xxxxx.onmicrosoft.com and select Yes
- Select Certificates & secrets on the left side and select New client secret.
- Enter “Autopilot Registration Secret” as a description. For example, please select how long the client secret should be valid (I selected 24 months) and click Add.
- Select the copy icon behind the value column and copy it somewhere safely (A password manager or database)
- Select Overview on the left side, copy the Application (client) ID plus the Directory (tenant) ID and save them with the value you copied in the previous step.
Creating the scripts
Now that we have an application registration that we can use for authenticating, we can create two script files that you can put on a USB drive which you can launch and will take care of getting the hardware hash and uploading to your tenant. Copy the contents below and save them as autopilot.cmd and autopilot.ps1, for example, on a USB drive. (I changed the IDs to xxxx. You need to replace them with the IDs which you saved when creating the app registration, of course 🙂 )
powershell.exe -executionpolicy bypass -file .\autopilot.ps1
Install-PackageProvider -Name NuGet -MinimumVersion 184.108.40.206 -Confirm:$false -Force:$true Install-Script get-windowsautopilotinfo -Confirm:$false -Force:$true get-windowsautopilotinfo -Online -TenantId xxxx -AppId xxxx -AppSecret xxxx shutdown.exe /s /t 10
Running the autopilot.cmd
When your device is on the first OOBE (Out Of Box Experience) screen, the one with the language selection, you can follow these steps:
- Press Shift-F10 to get to a command prompt
- Go to your USB drive by entering E: (This could be different in your case)
- Enter “autopilot.cmd” to start the script
The autopilot.ps1 starts, installs the NuGet provider, downloads the get-windowsautopilot script, connects to the tenants using the app registration details, and uploads the hardware hash. When done, it shutdowns the system in ten seconds, and your system is ready to go start an Autopilot installation!
The uploaded hardware hash in Endpoint Manager from my test tenant:
Adding a Group Tag
You can add Group tags to the script if you’re using Group tags for deployment profiles. Change the autopilot.ps1 on your USB drive to the one below: (Added the -GroupTag parameter. I used VMware as an example)
Install-PackageProvider -Name NuGet -MinimumVersion 220.127.116.11 -Confirm:$false -Force:$true Install-Script get-windowsautopilotinfo -Confirm:$false -Force:$true get-windowsautopilotinfo -Online -TenantId xxxx -AppId xxxx -AppSecret xxxx -GroupTag VMware shutdown.exe /s /t 10