Get the hash
Sometimes when I am migrating from one tenant to another we need to prepare the new Intune tenant with the autopilot registrations before we start to wipe and reinstall the windows machines. This is of course also something we need to do when we just want to star using autopilot for existing devices.
The hardware hash needs to be imported. Luckily there is a tool for that 🙂
The script Get-WindowsAutopilotInfo is well know by this time but I will explain how I use it in combination with some stuff to be more easy to use on an existing environment, with minimum hands-on, to get the hashes into our target tenant.
There’s an app for that…
Do an app registration and use that for authentication. You can read about that in this post. The permission you need to add and consent is :
DeviceManagementServiceConfig.ReadWrite.All
The script
Now that we have an application registration that we can use for authenticating, we can create a script that you can run manually (as admin) on the device you want to register. But you can also push it through GPO or if the devices already are in an Intune managed environment, configure a remediation to run on the clients.
#region Variables
$AppID = ""
$AppSecret = ""
$TenantId = ""
$GroupTag = ''
#endregion
#region Functions
function Get-GraphAccessToken {
try {
$GraphHost = "https://graph.microsoft.com/"
$Body = @{client_id = $AppID; client_secret = $AppSecret; grant_type = "client_credentials"; scope = "$GraphHost/.default"; }
$OAuthReq = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token" -Body $Body
$GraphAccessToken = @{ "Authorization" = "Bearer $($OAuthReq.access_token)" }
return $GraphAccessToken
}
catch {
Write-Error $_.Exception
}
}
function Invoke-GraphCall {
[cmdletbinding()]
param (
[parameter(Mandatory = $false)]
[ValidateSet('Get', 'Post', 'Delete')]
[string]$Method = 'Get',
[parameter(Mandatory = $false)]
[hashtable]$GraphAccessToken = $script:GraphAccessToken,
[parameter(Mandatory = $true)]
[string]$Uri,
[parameter(Mandatory = $false)]
[string]$ContentType = 'Application/Json',
[parameter(Mandatory = $false)]
[hashtable]$Body
)
try {
$params = @{
Method = $Method
Headers = $GraphAccessToken
Uri = $Uri
ContentType = $ContentType
}
if ($Body) {
$params.Body = $Body | ConvertTo-Json -Depth 20
}
if ($Method -eq "Get") {
$request = Invoke-RestMethod @params
$pages = $request.'@odata.nextLink'
while ($null -ne $pages) {
$addtional = Invoke-RestMethod -Method Get -Uri $pages -Headers $GraphAccessToken
if ($pages) {
$pages = $addtional."@odata.nextLink"
}
$request.value += $addtional.value
}
return $request
}
else {
$request = Invoke-RestMethod @params
return $request
}
}
catch {
Write-Warning $_.Exception.Message
}
}
#endregion
#region Get GraphAccessToken
$script:GraphAccessToken = Get-GraphAccessToken
#endregion
#region Get device info and check status
$session = New-CimSession
$serial = (Get-CimInstance -CimSession $session -Class Win32_BIOS).SerialNumber
# $serial = 'PF1WKC0C'
$AllAutopilotDevice = (Invoke-GraphCall -Uri "https://graph.microsoft.com/beta/deviceManagement/importedwindowsAutopilotDeviceIdentities?`select=serialNumber").value
Write-Output "AllAutopilotDevices = $($AllAutopilotDevice.id.Count)"
if ($AllAutopilotDevice | Where-Object {$_.serialNumber -match $serial}){
Write-Output "Device is registered in Autopilot."
Exit 0
}else {
Write-Output "Device needs to be registered in autopilot."
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Confirm:$false -Force:$true
Install-Script get-windowsautopilotinfo -Confirm:$false -Force:$true
Get-WindowsAutopilotInfo -Online -TenantId $TenantID -AppId $AppID -AppSecret $AppSecret -GroupTag $GroupTag
Exit 1
}
#endregion
Set the variables that you got from your app registration and the group tag if you need one. If not remove the -GroupTag parameter on line 98.
When running the script as is or as an app it will check the serial number on the device. List the registered autopilot devices in the tenant and check if it is registered. If it is not then import the has into the tenant.