All / Intune / Powershell / Windows

How to encode an Autopilot hash

jannikreinhard

You may have noticed that, an autopilot hash looks a little different every time you create it. In this blog I want to show you how to encode an autopilot hash and display the content of it.

What is a hardware hash

To enroll a device as an autopilot device you need a hardware hash. The hardware hash is an encoded XML that contains information about the device, especially about the hardware. This hash is needed to uniquely link the device to the tenant of a company. To generate and upload the hash you can use the following Powershell script: Get-WindowsAutoPilotInfo.ps1

Install the deployment tools from the Windows ADK

We need a tool that helps us decode the hardware hash. For this we need to install the Windows ADK.

  • Install the Windows SDK.
  • Click Next
  • Select No and click Next
  • Accept the License Agreement
  • Select only the Deployment Tools and click Install

Generate the Hardware hash

If you look into the Get-WindowsAutoPilotInfo.ps1 script the creation of the hardware hash is quite simple:

$session = New-CimSession
$devDetail = (Get-CimInstance -CimSession $session -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter "InstanceID='Ext' AND ParentID='./DevDetail'")
$hash = $devDetail.DeviceHardwareData
Write-Host $hash

Now we just need to pass the $deviceDetails to the deployment tool oa3tool.exe to convert the hash into an XML. You can find it in the following path: ‘C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\Licensing\OA30\oa3tool.exe’.

The final script looks like this:

$session = New-CimSession
$devDetail = (Get-CimInstance -CimSession $session -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter "InstanceID='Ext' AND ParentID='./DevDetail'")
$hash = $devDetail.DeviceHardwareData
Write-Host $hash
& 'C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\Licensing\OA30\oa3tool.exe' /DecodeHwHash="$($devDetail.DeviceHardwareData)"

Conclusion

The reason why the hash looks different for each execution is the timestamp that is in the hash.

    <p n="OsSystemTime" v="2022-05-27T11:53:55Z" />
    <p n="OsLocalTime" v="2022-05-27T13:53:55+02:00" />

In the end, the hardware hash is an encoding of several different values. Inside, the hardware hash always looks the same, apart from the time. However, this leads to the fact that the hash is always different. I hope I could give you an insight behind the scenes of the autopilot device hash with this script.
Stay healthy, Cheers
Jannik