Get the hash

Sometimes when I am migrating from one tenant to another we need to prepare the new Intune tenant with the autopilot registrations before we start to wipe and reinstall the windows machines. This is of course also something we need to do when we just want to star using autopilot for existing devices.
The hardware hash needs to be imported. Luckily there is a tool for that 🙂

The script Get-WindowsAutopilotInfo is well know by this time but I will explain how I use it in combination with some stuff to be more easy to use on an existing environment, with minimum hands-on, to get the hashes into our target tenant.

There’s an app for that…

Do an app registration and use that for authentication. You can read about that in this post. The permission you need to add and consent is :

The script

Now that we have an application registration that we can use for authenticating, we can create a script that you can run manually (as admin) on the device you want to register. But you can also push it through GPO or if the devices already are in an Intune managed environment, configure a remediation to run on the clients.

#region Variables

$AppID = ""
$AppSecret = ""
$TenantId = ""
$GroupTag = ''


#region Functions
function Get-GraphAccessToken {
    try {
        $GraphHost = ""
        $Body = @{client_id = $AppID; client_secret = $AppSecret; grant_type = "client_credentials"; scope = "$GraphHost/.default"; }
        $OAuthReq = Invoke-RestMethod -Method Post -Uri "$TenantId/oauth2/v2.0/token" -Body $Body
        $GraphAccessToken = @{ "Authorization" = "Bearer $($OAuthReq.access_token)" }
        return $GraphAccessToken
    catch {
        Write-Error $_.Exception

function Invoke-GraphCall {
    param (
        [parameter(Mandatory = $false)]
        [ValidateSet('Get', 'Post', 'Delete')]
        [string]$Method = 'Get',

        [parameter(Mandatory = $false)]
        [hashtable]$GraphAccessToken = $script:GraphAccessToken,

        [parameter(Mandatory = $true)]

        [parameter(Mandatory = $false)]
        [string]$ContentType = 'Application/Json',

        [parameter(Mandatory = $false)]
    try {
        $params = @{
            Method      = $Method
            Headers     = $GraphAccessToken
            Uri         = $Uri
            ContentType = $ContentType
        if ($Body) {
            $params.Body = $Body | ConvertTo-Json -Depth 20
        if ($Method -eq "Get") {
            $request = Invoke-RestMethod @params
            $pages = $request.'@odata.nextLink'
            while ($null -ne $pages) {
                $addtional = Invoke-RestMethod -Method Get -Uri $pages -Headers $GraphAccessToken
                if ($pages) {
                    $pages = $addtional."@odata.nextLink"
                $request.value += $addtional.value
            return $request
        else {
            $request = Invoke-RestMethod @params
            return $request
    catch {
        Write-Warning $_.Exception.Message

#region Get GraphAccessToken
$script:GraphAccessToken = Get-GraphAccessToken

#region Get device info and check status
$session = New-CimSession
$serial = (Get-CimInstance -CimSession $session -Class Win32_BIOS).SerialNumber
# $serial = 'PF1WKC0C'

$AllAutopilotDevice = (Invoke-GraphCall -Uri "`select=serialNumber").value
Write-Output "AllAutopilotDevices = $($"

if ($AllAutopilotDevice | Where-Object {$_.serialNumber -match $serial}){
    Write-Output "Device is registered in Autopilot."
    Exit 0
}else {
    Write-Output "Device needs to be registered in autopilot."
    Install-PackageProvider -Name NuGet -MinimumVersion -Confirm:$false -Force:$true
    Install-Script get-windowsautopilotinfo -Confirm:$false -Force:$true
    Get-WindowsAutopilotInfo -Online -TenantId $TenantID -AppId $AppID -AppSecret $AppSecret -GroupTag $GroupTag
    Exit 1


Set the variables that you got from your app registration and the group tag if you need one. If not remove the -GroupTag parameter on line 98.

When running the script as is or as an app it will check the serial number on the device. List the registered autopilot devices in the tenant and check if it is registered. If it is not then import the has into the tenant.

Leave a Reply

Your email address will not be published. Required fields are marked *