When working with multiple organizations, you see very different environments. When people are trialing Intune and Autopilot, people can usually get a minimum viable product with a few devices.

I hope with this post, I can outline some options that you can leverage depending on tools that you have in your environment. Just keep in mind, not every environment is the same and I can’t make something work for everything in one post. Most of the items you see below are going to give you a rough idea of a scenario you might be in and hopefully you can leverage them in your environment.

Assumptions

First, let’s go over some assumptions.

• Some current way to manage devices remotely.
  • Typically, Group Policy is the way devices are “managed” in environments and is a great starting point.
  • I have done one scenario listed below with an RMM tool like ConnectWise Automate.
• Any infrastructure mentioned below must be in working shape.

What Are We Looking For Exactly

Amongst a few other things to have Autopilot work, we need a little piece of information commonly called a Hardware Hash. Others may call it a Hardware ID or 4K HH. Essentially this is a non-human readable value that is a collection of hardware information of the device and a few other things. This value does change if you change the motherboard of the device.

We then use the Hardware Hash to essentially register ownership of the device to your tenant. I specifically say the word register because you do not enroll the device into Intune. You register the device into the Autopilot service to allow the device to run through Autopilot during the out of box experience.

The Not So Fun Way

Let’s take a look at one of the most common ways, which isn’t fun at all if you have anything more than 5 devices. I might still not recommend this method even for my worst enemy, but it is still an option nonetheless.

We can leverage a script that is available in the PowerShell Gallery called Get-WindowsAutopilotInfo. This will grab all the information we need and we can specify a switch to automatically upload it for us. I recommend that you open an Administrative PowerShell terminal and use the following lines to gather the Hardware Hash.

1
2
3

Set-ExecutionPolicy Bypass -Scope Process
Install-Script Get-WindowsAutopilotInfo -Force
Get-WindowsAutopilotInfo -Online

After it gathers the hash, you will have a line that seems to repeat itself. This is uploading the hardware hash for you, and making sure that the Autopilot service sees it before ending the script. Very helpful compared to previous versions of this back in the day.

Leveraging Group Policy

Group Policy can be very helpful here, one to set up some prerequisites for some of the ways listed below. As well as, very useful to automate grabbing the hardware hash. I am going to put the options in order of not fun to fun, at least in my opinion.

Leveraging Get-WindowsAutopilotInfo

You can reuse Get-WindowsAutopilotInfo to gather hardware hashes of devices into a combined CSV on devices that you can then upload into the Autopilot service to register them. There are a few gotchas.

Requirements

• You will need a central location that all devices can reach to append their respective information.
• Must be able to see your domain controllers.
• Must have the Get-WindowsAutopilotInfo script.
  • Source Code can be found here.

This will be an outline of what your wrapper script will look like that will be pushed via Group Policy.

1

powershell.exe -ExecutionPolicy Bypass -File "%~dp0\Get-WindowsAutopilotInfo.ps1" "-OutputFile '\\SHARE\Hashes.csv' -Append"

Essentially, when this script is ran on the devices it is pushed to, it will run the script and instead of uploading it automatically, you will get a big list of hashes on your file share. Keep in mind, you may get duplicates, but with a little bit of Excel magic, those won’t be a problem.

I can also use this method with an RMM like ConnectWise Automate, if I had devices that don’t process group policy in a regular manner.

Enrolling Devices Into Intune with Group Policy

This method is the most recommended, for existing devices, if you don’t have any other management system like Configuration Manager.

Essentially what this looks like:

• Make sure Hybrid Join is configured correctly
  • Documentation page
• Configure Group Policy to enroll devices into Group Policy
  • Documentation page
• Group the Enrolled Devices into an Entra ID Group.
• Create a Deployment Profile with the option set to yes on Convert all targeted devices to Autopilot.
• Wait a couple days.

That’s it! Really, that is it. I do want to note something here though. One, this is not a fast method. This process does take time for the enrollment to happen and for devices to know they need to register their hardware hash. Two, this doesn’t migrate a Hybrid Joined Device to a Entra ID Joined device. This only gathers the hardware hash from the device for you.

Leveraging Configuration Manager

Configuration Manager is very common software I see if users are looking to leverage the cloud for management. Essentially the steps were commonly Tenant Attach, Co-Management, then Autopilot. This still holds true today depending on your modernization of endpoint management and onboarding.

Luckily, Configuration Manager can do a lot of the legwork as well. It is going to be some cross over from the Group Policy hands off method.

Co-Management

If you set up co-management, I can essentially take away the pushing of a Group Policy, which I will take 10 times out of 10. Plus, I get reporting and just a better feature set. This post isn’t about how you set this up, but just to make you aware that it is needed in this method of getting them. Again, this is a very common pathway so I have to include it as an option.

Steps for Co-Management Method:

• Follow the Microsoft Documentation for setting this up.
  • Documentation page
  • This does include you setting up Hybrid Join correctly.
• Group the Enrolled Devices into an Entra ID Group.
• Create a Deployment Profile with the option set to yes on Convert all targeted devices to Autopilot.
• Wait a couple days.

Leveraging ConfigMgr’s Hardware Inventory

There are a couple ways to get this accomplished. One is utilizing a script to gather them from the ConfigMgr database and registering them by hand. This method can be done and looks like it has been done before as you can see here.

Another way is to generate a report utilizing a ConfigMgr Reporting Services Point which can export all of them, but you will need to validate the data to make sure you have everything. That can be found here

Hands Off Completely

The final way and the most easiest, hands off way is utilizing a Microsoft Partner to register the devices for you. How this works, is the Partner will request an Reseller relationship by sending the Global Administrator of your tenant a link that they will accept.

This allows them only to register devices to your Autopilot service with no other access with Group Tags if you want to group devices by that. The goal is to have you get a device out of the box, and run it through Autopilot. No additional steps needed from you in IT. This can be done for existing devices and new devices.

The one thing you need to worry about is, they cannot magically know what the hardware hash is if the device’s motherboard was replaced. This will only work for devices that haven’t been repaired. The good things is, they can do it for existing devices, but some partners do charge for this, but is probably worth it in the long run.

If you do have a device that got it’s motherboard replaced, leverage one of the previous options, but the fastest is going to be the manual, not-so-fun, method.