How to silently create an Autopilot Hardware Hash in WinPE and upload the Hash unattended using Symantec ITMS

Allgemein, OSDCloud, Symantec EPM, Symantec EPM - Deployment Solution 3 Minutes

In this Blogarticle we are combining information from Michael Meier, David Segura, Niklas Rast and Michael Niehaus.

If you ever want to know if it´s possible to silently create an Autopilot Hardware Hash in WinPE and upload the generated Hash unattended in your Intune Tenant than continue to read the Blogpost.

I´m focusing on using that technique for Altiris Deployment Solution but this can simply be modified to make it work with other Deployment Solutions like Ghost Solution Suite, WDS, MDT,..

Before we start as usual here are some requirements…

Prerequisites:

  • Download Files from Github repository
  • OA3tool.exe from Windows ADK
  • Create an Entra ID App registration
  • Modify the Upload_Hash.ps1 File using your Tenant ID, AppID and Secret
  • WinPE with Powershell and PS Gallery Support in WinPE
  • PCPKsp.dll File from Windows 10 / Windows 11 (C:\Windows\System32)

Download Files from Github repository

Download needed files from Github

OA3Tool.exe from Windows ADK

Install Window ADK and copy the OA3Tool.exe (C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\Licensing\OA30)

Create an Entra ID App registration

An Entra ID App Registration is needed that acts as a Service principle for authenticating.

Open a Web Browser and navigate to: https://entra.microsoft.com. Under Identity click on Applications -> App registration and select New registration

Provide a name (unattended_Autopilot_Registration) for the new App and select “Accounts in this organizational directory only”

click on “Register”

Click on API permissions and add permission from Microsoft Graph. You need to add DeviceManagementServiceConfig.ReadWrite.All

Click on Grant admin consent

Navigate to Certificate & secrets and add a Client Secret

Copy the Secret value before you leave the page

Select Overview and copy the Application (client)ID and the Directory (tenant)ID

Modify the Upload_Hash.ps1 File

Edit the Upload_Hash.ps1 File (download from the Github Repo) and replace the values for Tenant ID, AppID and AppSecret

$TenantID = "your Azure Tenant ID goes here"
$AppID= "your AppID goes here"
$AppSecret = "your AppSecret goes here"

WinPE with Powershell and PS Gallery Support

In general you need to add Powershell support to your WinPE Boot Image and add the Files from the Github repo to the root of your WinPE (X:\ Drive) including the OA3Tool.exe and the PCPKsp.dll File.

Powershell Gallery support will automatically be added later when in WinPE – using the following Powershell command: iex(irm sandbox.osdcloud.com). Thanks to David Segura.

PCPKsp.dll File

Copy the File named C:\Windows\System32\PCPKsp.dll from your Windows 10 /11 to the root of your WinPE (X:\)

Using Altiris Deployment Solution

Boot your Device using Altiris Deployment Tool in WinPE (if not already done create a copy Job to copy the Files from the Github Repository to your WinPE X:\ Drive). I´ve used this method instead of adding the Files directly into WinPE because it is a little bit more flexible. (see the Screenshots).

1. Create a Preboot Configuration in the Symantec ITMS Console using Settings ->
Deployment -> Manage Preboot Configuration. (optional: You could also create a WinPE ISO File)

2. Download the Files from the Github Repository and add the OA3Tool.exe and the PCPksp.dll Files

3. Create an Altiris Task to copy Files into WinPE  and combine the Tasks in a Job

4. Create a “run Script” Task in Altiris using the following Command Script

powershell X:\set-timezone.ps1

This is needed because otherwise you get: “The provided access token has expired” – Check the system date/time are correct.

Output:

5. Create a “run Script” Task in Altiris using the following Command Script

powershell x:\oa3_create_hash.ps1 -outputfile „X:\autopilot.csv“

Output:

6. Create a “run Script” Task in Altiris using the following Command Script

powershell X:\upload_hash.ps1

Output:

7. Combine the “run Script” Tasks and the “copy required Files to WinPE” in a Job

8. Navigate to https://intune.microsoft.com and click on Devices ->  Enrollment -> Devices

The Device with the Serial Number should appear. If you cannot find the Device click “Sync

References / Credits:

Michael Meier
https://mikemdm.de/2023/01/29/can-you-create-a-autopilot-hash-from-winpe-yes/

Niklas Rast
https://niklasrast.com/2024/03/06/demystifying-unattended-windows-autopilot-hardware-hash-uploading/

Michael Niehaus
https://oofhours.com/2022/08/02/connecting-the-dots-reverse-engineering-an-autopilot-hash/

David Segura (OSDCloud) – PS Gallery Support in WinPE
https://www.osdcloud.com/sandbox/sandbox

Thanks to my colleague Alexander Fuchs for the support!

Veröffentlicht von jbedrech

Veröffentlicht

2 Kommentare zu „How to silently create an Autopilot Hardware Hash in WinPE and upload the Hash unattended using Symantec ITMS

  1. Pingback: Autopilot topics of the week – Out of Office Hours
  2. Pingback: Autopilot topics of the week | TechEvangs

Hinterlasse einen Kommentar