Retrieving the hardware hash for a new laptop or VM involves a few steps. Starting PowerShell, configuring the execution policy, installing the get-windowsautopilot script, answering a few prompts, and entering your credentials to upload it to your environment. In this blog post, I will show you how to minimize the number of steps needed.
App registration
To avoid entering credentials during the process, you must register an app in Azure. Follow these steps for that:
- Go to App Registrations
- Select New Registration
- Enter “Autopilot Registration” as the name, and select Register.
- Select API Permissions on the left side and select Add a permission
- Select Microsoft Graph
- Select Application permissions
- Search for DeviceManagementServiceConfig.ReadWrite.All, select the checkbox and select Add Permissions.
- Select Grant admin consent for xxxxx.onmicrosoft.com and select Yes
- Select Certificates & secrets on the left side and select New client secret.
- Enter “Autopilot Registration Secret” as a description. For example, please select how long the client secret should be valid (I selected 24 months) and click Add.
- Select the copy icon behind the value column and copy it somewhere safely (A password manager or database)
- Select Overview on the left side, copy the Application (client) ID plus the Directory (tenant) ID and save them with the value you copied in the previous step.
Creating the scripts
Now that we have an application registration that we can use for authenticating, we can create two script files that you can put on a USB drive which you can launch and will take care of getting the hardware hash and uploading to your tenant. Copy the contents below and save them as autopilot.cmd and autopilot.ps1, for example, on a USB drive. (I changed the IDs to xxxx. You need to replace them with the IDs which you saved when creating the app registration, of course 🙂 )
Autopilot.cmd
powershell.exe -executionpolicy bypass -file .\autopilot.ps1
Autopilot.ps1
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Confirm:$false -Force:$true Install-Script get-windowsautopilotinfo -Confirm:$false -Force:$true get-windowsautopilotinfo -Online -TenantId xxxx -AppId xxxx -AppSecret xxxx shutdown.exe /s /t 10
Running the autopilot.cmd
When your device is on the first OOBE (Out Of Box Experience) screen, the one with the language selection, you can follow these steps:
- Press Shift-F10 to get to a command prompt
- Go to your USB drive by entering E: (This could be different in your case)
- Enter “autopilot.cmd” to start the script
The autopilot.ps1 starts, installs the NuGet provider, downloads the get-windowsautopilot script, connects to the tenants using the app registration details, and uploads the hardware hash. When done, it shutdowns the system in ten seconds, and your system is ready to go start an Autopilot installation!
The uploaded hardware hash in Endpoint Manager from my test tenant:
Adding a Group Tag
You can add Group tags to the script if you’re using Group tags for deployment profiles. Change the autopilot.ps1 on your USB drive to the one below: (Added the -GroupTag parameter. I used VMware as an example)
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Confirm:$false -Force:$true Install-Script get-windowsautopilotinfo -Confirm:$false -Force:$true get-windowsautopilotinfo -Online -TenantId xxxx -AppId xxxx -AppSecret xxxx -GroupTag VMware shutdown.exe /s /t 10
Pingback: Blogpost – Upload Windows Autopilot hardware hash easily – 247 TECH
Pingback: Deploy a Hyper-V VM and register it for Autopilot automatically using PowerShell | PowerShell is fun :)
Kindly provide script and steps to implement in SCCM OSD task sequence to upload hardware hash to intune with multiple Group tag
I think all of the scripting parts is already in this blog, the shutdown part should be removed in a task sequence…I’m not an SCCM man, but I did see a few examples online about gathering it to a CSV which requires manual action. My script in this blog post uploads it automatically with the app registration details, Group Tag is possible also but not sure how you can specify which group tag for which deployment 😉
It takes a little bit, but you can apply a clean image, install config manager, then run the script and pass through an argument for the group tag after it boots to the OS and sets up config manager (the argument could be based on input in the UI++ or if you just have self-deploy and user driven profiles then a model check or something to ensure TPM 2.0 is enabled). Then what I was doing was applying the clean image again and using a post action to reboot to OOBE because even after using the Prepare Windows for Capture step to get rid of the client, it would still show up as hybrid. I also add a sleep step to the script at the end for about 5 minutes to make sure the correct autopilot profile is assigned.
Hey Harm! Thanks so much for this useful information and instructions! I was able to replicate it and it works! Question for you: Do you think this is possible to deploy this script through Intune?
Thank you so much for this useful information and instructions! We were able to replicate this and works great locally! Question for you: Do you think this script can be deployed through Intune? We have a ton of existing devices in our environment and want to mass upload the hash without touching individual devices.
Yes, you could deploy the script using Intune using the Scripts pane in Devices but don’t forget to remove the shutdown line 😉 By deploying it as s script, not a Win32 package, it will only run once if succesful. Assign it to one device and see if that works and then you can assign it to more devices.
Those devices in your environment, are they joined to Intune using Hybrid or Workplace join? There is a setting in the deployment profile to convert devices to Autopilot devices
Parker, assigning all devices to your autopilot profile will pull in the hashes
I noticed Get-WindowsAutopilotInfo now has an AssignedComputerName parameter and I was wondering if there was a way to upload that alongside the group tag with this method? The main pain point for autopilot right now is the naming scheme but being able to use UI++ to collect the site and asset number to create the computer name and pass that along to the script would be great and allow for the auto import of devices to our asset management system too by using the first part of the name for the site and the last part of the asset number.
You can adjust the autopilot.ps1 script with that parameter of course, you could wrap a script around it to call the get-windowsautopilotinfo.ps1 script with a parameter… Site and asset sounds like SCCM? No experience in that myself 🙂
Sorry, site probably wasn’t the best word to use. I’m at a school district, so the naming scheme I would be shooting to replicate from SCCM would be the three letter initials for the individual schools followed by the 5 digit asset number for internal tracking. I also thought this was the upload hash script that pushes the hash and group tag using MSGraph. I had no idea you could use an App ID and Secret with get-windowsautopilotinfo, so I’m definitely switching to your method since it simplifies everything and solves my problem, lol.
😊You could also use multiple Deployment profiles based on dynamic groups that are filled with group tags. In the profile you can specify the first few letters and a randy number between a certain range. Option 😅
Thank you so much for this useful information and instructions. I have one question related to secrets key and AppID, In current scenario secrets key and AppID is visible and can be compromised. how we can avoid that.
Thank you 🙂 And I understand your point, the API permissions are there and can be used. I think using the SecretManagement or Azure Key vault could be an option to store and retrieve those credentials from, having to type an unlock password for that would be something I guess…
Will put that on my To-Do list !
I have one question related to secrets key and AppID, In current scenario secrets key and AppID is visible and can be compromised. how we can avoid that.
I would appriciate you if you can help in this regard.
Thanks,
Manu Kamboj