Autopilot Tool – Upload HW hash with a user interface

Download from GitHub:
https://github.com/NicklasAhlberg/AutopilotTool

.Version 1.0.3.0 (2023-07-05)
– The tool has been updated to reflect the changes done to MS Graph.
– Changes to the UI
– No need to pre-define the tenant/domain name, just sign on and you are good to go
– A registered app is needed

.Version 1.0.2.6 (2022-12-14)
– It is now possible to add multiple domains to the config-file.

.Version 1.0.2.5
– It is now possible to add a default tag to the config file

.Version 1.0.2.4
– Slightly new graphical interface
– Optional: It is now possible to add a group tag!
– Use the gather logs button to get autopilot logs as a CAB file

.Version 1.0.2.3 (2021-08-17)
It is now possible to set a default domain name. Get the latest version (1.0.2.3) from GitHub and you will find “config.txt” – edit as per your need. Thanks Dylan Brown for the idea!

.Version 1.0.2.2
It is now possible to use a custom logo. Place “logo.png” in the same directory as the .exe
Recommended logo size: 210×110 px

If you have been working with Windows Autopilot you know that manual upload of the hardware hash is a repetitive and time consuming task.

This tool will make your life easier by…

  • Install the necessary PowerShell modules
  • Connect to the tenant (MFA is supported)
  • Automatically uploading the autopilot hash to the Windows Autopilot service
  • Let you know when the upload has completed (success or error)

…. directly from the device!

No more need to struggle to manually get, move and import the csv-file from another device. All you need to do is run the tool (Shift+F10 when you get to pick your keyboard layout), start Autopilot Tool and sign in to Azure with an administrative user. This works well with MFA!

Instructions

  1. The Autopilot Tool will require a registered app in your tenant to be allowed to run the MS Graph calls. Follow the prerequisites at the end of this blog post for guidance on how to set that up.
  2. Open: Config.txt and add your tenant and client (application) ids and a group tag (save and close)
  3. Place: “Autopilot Tool.exe” and “config.txt” in same directory on either a USB-stick or on a network location
  4. Press: Shift+F10 when you are at the “pick your keyboard layout” screen
  5. Write: PowerShell + hit enter to start PowerShell
  6. Run: Install-Module MSAL.PS to install the needed PowerShell module (more info: AzureAD/MSAL.PS (github.com) )
  7. Navigate to “Autopilot Tool.exe”, press enter to start the tool
  8. Optional: add a group tag
  9. Click: Upload and sign in with a user with sufficient privileges
  10. The hash will be uploaded to the Windows Autopilot service automatically after 2-3 minutes (the tool will query the service and let you know as soon as it is ready).

Download the tool from Github:
https://github.com/NicklasAhlberg/AutoPilotTool

Windows 10 versionSupported
21H1OK
20H2OK
2004OK
1909OK
1903OK
All Windows 11OK

Prerequisites: Register the app

We will use an Azure registered app with delegated permissions to execute our MS Graph calls against. Please note that the app itself cannot do changes beyond these permissions even if the user running the tool has more permissions, and the other way around. The next steps cover how to create the app and delegate the appropriate permissions.

  1. You will need either Global Administrator or Application Administrator to register the app in Azure
  2. Navigate to: https://portal.azure.com
  3. ClickAzure Active Directory
  4. ClickApp registrations
  5. ClickNew registration
  6. Name: I will use ‘Demo-Graph‘, but you may name the app differently (What about “Autopilot Tool”?)
  7. Supported account typesAccounts in this organizational directory only
  8. Redirect URI (Select a platform)Public client/native (mobile and desktop)
  9. Redirect URI (URL)https://login.microsoftonline.com/common/oauth2/nativeclient
  10. ClickRegister
  11. Save the Application (client) ID in notepad, we will need it later
  12. ClickAPI Permissions
  13. ClickMicrosoft Graph
  14. ClickDelegated permissions
  15. Search for and mark:
    1. DeviceManagementServiceConfig.ReadWrite.All
  16. ClickAdd permissionsbelow printscreens have been reused from another post and includes more permissions than needed by the Autopilot Tool. DeviceManagementServiceConfig.ReadWrite.All is enough in our case.
  17. ClickGrant admin consent for
  18. ClickYes
  19. Make sure that the permissions have been granted accordingly
  20. Now navigate to https://portal.azure.com/
  21. ClickAzure Active Directory
  22. Save the Tenant and Client/application IDs in config.txt

20 thoughts on “Autopilot Tool – Upload HW hash with a user interface

  1. Is the administrative user you are saying in azure or just in the local admin? Thanks

    1. Hello,
      The administrative user is an Azure identity with Intune Admin privileges or similar. Thanks for your question I have updated the info text.

  2. Is it possible to exchange your logo for that of our company for internal use?

    It might be nicer for the users. Otherwise, your tool is gigantically good. Many thanks

    1. That is fully possible with latest version
      Thanks for the feedback! 🙂

      best regards

      Nicklas

  3. A handy version of this would be for a (remote) end user to run, then automatically launching the default mail client with the hash CSV file as an attachment for forwarding to IT for importing.

    1. Hi Jörn, Thanks for reaching out. That is a good idea for a future version 👍

      Regards

      //Nicklas

  4. What permissions/apps is this needing to contact? I have bypassed “microsoft intune powershell” application in my CA policies however I’m still being blocked. We require MFA AND hybrid join from global admin accounts, and despite excluding the app, these rules are still triggering on “microsoft intune powershell” despite being excluded.

    1. Hi Jason,

      The users running the tool should be “Intune admin” or similar. If your CA requires the device to be hybrid joined it will not work to you run it on a device before it has ben provisioned by Windows Autopilot, as the device is not hybrid joined at that point.

      //Nicklas

  5. Tool was working perfectly for 2 years but now we are getting “Unhandled exception has occurred in a component in your application. If you click Continue, the application will ignore this error and attempt to continue”. If we click continue it won’t do anything. Then running tool again > same error.

  6. Hello,

    When clicking on “upload” Loading sign-in prompt please wait a long time in de background and in front only a white screen not showing the Microsoft login.

    Do you have an idea?

    I make use of the config file

    1. Hi, thanks for reaching out!

      It sounds like the sign-in prompt/window doesn’t render correctly. Have you tried to close the white image/screen and click Upload again?

      Let me know how it goes.

      //Nicklas

  7. Hej Nicklas,
    I have registered the app with Granted permissions.
    Now, when i want to test the App, I get an error: “We couldn’t create the data directory” , “Microsoft Edge can’t read and write to its data directory”
    -I’m running the app as Admin
    -On a no Local Admin Device
    -Already onboarded to WAP
    -Managed by Intune
    -Hybrid joined

    Do you know if this scenario is even possible?
    P.S. New Device is coming in 2h so i will also try OOB scenario

    Thank you!
    All Best,
    Marko

    1. Hi Marko,

      * Did you fully follow the steps to register the app and apply correct API-permissions?
      * I recommend that you run the tool on a device which has not been uploaded to the Windows Autopilot service yet.

      //Nicklas

  8. I managed to get the new version working on our windows 11 machines. But we had an issue that the Get-MSALtoken command was not found and we had to install the module.

    Install-Module -Name MSAL.PS

    once installed the applicatons worked fine. Any chance to get it to install it automatically if not found in future versions please.

    1. Hi,

      Thanks for the feedback.
      As for now step 6 in the manual covers how to install the module. I am working on a new version which will not need the module at all, hope to have it done early/mid Q4.

      //Nicklas

  9. The “Autopilot Tool.exe” is not in the github repository. Did you stop supporting this tool? Thanks for your effort anyway.

    1. Hi Alfonso!

      The tool is downloaded from the releases section (found to the right) over at Github.

      br,

      Nicklas

    1. Hi, this is probably the part of the code you are looking for:

      # Get hash info from local device
      $autopilotHashDeviceHashData = (Get-WmiObject -Namespace “root/cimv2/mdm/dmmap” -Class “MDM_DevDetail_Ext01” -Filter “InstanceID=’Ext’ AND ParentID=’./DevDetail'” -Verbose:$false).DeviceHardwareData
      $autopilotHashSerialNumber = (Get-WmiObject -Class “Win32_BIOS” -Verbose:$false).SerialNumber
      $autopilotHashProductKey = (Get-WmiObject -Class “SoftwareLicensingService” -Verbose:$false).OA3xOriginalProductKey

      if ($textbox1.Text) # Add autopilot tag to json body (if needed)
      {
      $autopilotHashGroupTag = $textbox1.Text
      }

      # Create json body based upon local device info and autopilot tag
      $autopilotHashbody = @”
      {
      “importedWindowsAutopilotDeviceIdentities”: [
      {
      “groupTag”: “$autopilotHashGroupTag”,
      “serialNumber”: “$autopilotHashSerialNumber”,
      “hardwareIdentifier”: “$autopilotHashDeviceHashData”
      }
      ]
      }
      “@
      $autopilotHashData = Invoke-RestMethod -Headers @{ Authorization = “Bearer $($token)” } -Uri ‘https://graph.microsoft.com/beta/deviceManagement/importedWindowsAutopilotDeviceIdentities/import’ -Method ‘POST’ -Body $autopilotHashbody -ContentType ‘application/json’

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.