Autopilot & Hardware Hash

by

Autopilot brings many benefits and significantly speeds up the rollout and setup of an end device. In order for devices to be able to go through this process, the device must first be registered in the autopilot of the respective tenant and the enrollment profile must be assigned. For the registration in the tenant, the hardware hash of the device is required for this purpose. What is the hardware hash and what does it contain?

Basically, the motivation of the research was to rethink the scenario of a repair. What happens, for example, when hardware parts such as the mainboard are replaced? Microsoft points out that the hardware hash must be re-read and re-imported after replacing the mainboard. Here you can find more information about this:

https://docs.microsoft.com/de-de/mem/autopilot/autopilot-mbr

To understand the dependencies I have read out the hardware hash on a test device. For this, you can use the instructions from Microsoft (https://docs.microsoft.com/en-us/mem/autopilot/add-devices): 

md c:\HWID
Set-Location c:\HWID
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
Install-Script -Name Get-WindowsAutopilotInfo -Force
Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv

The .csv file contains the Device Serial Number, Windows Product ID and the Hardware Hash. The hardware hash, with which Windows devices can be uniquely identified, consists of a string which is 4000 bytes large. Therefore the string is abbreviated with 4K HH.

Next, the contents of the hardware hash can be decrypted using the OA 3.0 tool. Microsoft offers a help page for this: https://docs.microsoft.com/de-de/windows-hardware/manufacture/desktop/oa3-using-on-factory-floor?view=windows-11

The tool is part of the Windows Assessment and Deployment Kit and can be downloaded here: https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install. In the terminal (CMD) you have to navigate to the directory where the oa3tool.exe is located. This is typically under the following path: C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\Licensing\OA30\oa3tool.exe.

Next, the following command must be executed:

oa3tool.exe /DecodeHWHash=HARDWAREHASH

Instead of the HARDWAREHASH only the hash from the CSV must be inserted.

If everything has worked, the content of the hardware ID is listed:

The ID contains information about the processor, mainboard, system manufacturer, Mac address, display, GPU and TPM.

Further information: https://osddeployment.dk/2018/12/15/demystifying-windows-autopilot-hardware-hash-and-autopilot-diagnostic-tools/