From a0169a7710bbaf7061ee5d78eece5519e40337f8 Mon Sep 17 00:00:00 2001 From: Smith Date: Thu, 18 Dec 2025 15:23:00 -0500 Subject: [PATCH] Add Autopilot Hardware Hash scanner --- .../AutoPilot Hash/AutoPilot_Hash.xml | 15 ++++ .../AutoPilot Hash/Get-AutoPilotHash.ps1 | 33 ++++++++ PowerShell Scanners/AutoPilot Hash/README.md | 80 +++++++++++++++++++ 3 files changed, 128 insertions(+) create mode 100644 PowerShell Scanners/AutoPilot Hash/AutoPilot_Hash.xml create mode 100644 PowerShell Scanners/AutoPilot Hash/Get-AutoPilotHash.ps1 create mode 100644 PowerShell Scanners/AutoPilot Hash/README.md diff --git a/PowerShell Scanners/AutoPilot Hash/AutoPilot_Hash.xml b/PowerShell Scanners/AutoPilot Hash/AutoPilot_Hash.xml new file mode 100644 index 0000000..4c2d646 --- /dev/null +++ b/PowerShell Scanners/AutoPilot Hash/AutoPilot_Hash.xml @@ -0,0 +1,15 @@ + + + + Hardware Hash + Harvests Windows Autopilot Hardware Hashes for Intune enrollment. + + + HardwareHash + PowerShell + File + Get-AutoPilotHash.ps1 + + + + \ No newline at end of file diff --git a/PowerShell Scanners/AutoPilot Hash/Get-AutoPilotHash.ps1 b/PowerShell Scanners/AutoPilot Hash/Get-AutoPilotHash.ps1 new file mode 100644 index 0000000..e7914a4 --- /dev/null +++ b/PowerShell Scanners/AutoPilot Hash/Get-AutoPilotHash.ps1 @@ -0,0 +1,33 @@ +<# +.SYNOPSIS + Retrieves the Windows Autopilot Hardware Hash for Intune registration. + +.DESCRIPTION + Queries WMI for the MDM_DevDetail_Ext01 class to extract the 4K hardware hash. + Used for manual enrollment of existing devices into Windows Autopilot. + +.OUTPUTS + PSCustomObject +#> + +$WmiPath = "root/cimv2/mdm/dmmap" +$ClassName = "MDM_DevDetail_Ext01" + +try { + # Query the hash from WMI + $DevDetail = Get-CimInstance -Namespace $WmiPath -ClassName $ClassName -Filter "InstanceID='Ext' AND ParentID='./DevDetail'" -ErrorAction Stop + + [PSCustomObject]@{ + ComputerName = $env:COMPUTERNAME + HardwareHash = $DevDetail.DeviceHardwareData + SerialNumber = (Get-CimInstance Win32_Bios).SerialNumber + } +} +catch { + # If it fails (e.g. older Windows versions), return an error message + [PSCustomObject]@{ + ComputerName = $env:COMPUTERNAME + HardwareHash = "Error: WMI Path Not Found (Requires Win 10/11 1703+)" + SerialNumber = "N/A" + } +} \ No newline at end of file diff --git a/PowerShell Scanners/AutoPilot Hash/README.md b/PowerShell Scanners/AutoPilot Hash/README.md new file mode 100644 index 0000000..a39fa03 --- /dev/null +++ b/PowerShell Scanners/AutoPilot Hash/README.md @@ -0,0 +1,80 @@ +Hardware Hash + + + +This scanner retrieves the Windows Autopilot Hardware Hash and Serial Number from Windows 10/11 devices. This is essential for IT administrators transitioning from Active Directory to Microsoft Entra ID (formerly Azure AD) and Intune. + + + + + +Description + + + +The scanner queries the MDM\_DevDetail\_Ext01 WMI class to extract the DeviceHardwareData (the 4K hardware hash). This data is required for manual device registration in the Windows Autopilot service. + + + + + +Columns Returned + + + +ComputerName: The local hostname. + + + +HardwareHash: The encoded 4K hardware hash. + + + +SerialNumber: The hardware serial number from the BIOS. + + + + + +Requirements + + + +OS: Windows 10 version 1703 or later. + + + +Hardware: TPM 2.0 is recommended for reliable hash generation. + + + + + +Usage + + + +1. Import the AutoPilot_Hash.xml scan profile into PDQ Inventory. + + + +2\. Ensure the Get-AutoPilotHash.ps1 file is located in a directory accessible by your PDQ console (or update the scan profile path). + + + +3\. Scan target computers. + + + +4\. Export the results to a CSV using a custom SQL report to match the Intune upload format: Device Serial Number,Windows Product ID,Hardware Hash. + + + + + +Contributor + + + +Gemini AI and Aaron Smith +