How to Capture Windows Autopilot Hardware Hashes (4 Methods)

If you've got a stack of new laptops that need enrolling in Intune but aren't showing up in Autopilot yet, this guide covers the fastest ways to grab the hardware hash without sitting through the full Windows setup.

You can pull the hardware hash straight from the welcome screen without going through the full OOBE.

What is a Hardware Hash?

A hardware hash is a unique fingerprint for a specific device. It's generated from the device's hardware components, including the motherboard, CPU and TPM chip.

When you upload this hash to your Intune tenant, you're telling the cloud: "If this specific piece of hardware ever hits the internet, send it straight to our company login screen, not the default Windows consumer setup."

Because it is tied to the physical hardware, it's persistent. You can wipe the hard drive, reinstall Windows, and the moment that laptop sees a Wi-Fi signal it'll still know it belongs to your company.

Hash vs. Serial Number: Why the extra steps?

Serial numbers aren't as unique as we'd like to think, across different manufacturers and years of production, duplicates can happen. The Hardware Hash is a large encrypted string that is mathematically unique to that specific machine build.

By using the hash, Microsoft performs a high-level security handshake that prevents device spoofing, ensuring someone can't guess your serial numbers and hijack your Autopilot setup.

Prerequisites

• Internet Access, For the Direct Upload method, connect via Ethernet or Wi-Fi at the welcome screen.
• Admin Rights, You'll need an account with Global Administrator or Intune Administrator.
• Power, Keep the laptop plugged in. A TPM handshake failing due to low battery is an avoidable headache.

Method 1, The USB Stick Routine

The classic approach for processing a batch of laptops and uploading them all at once later.

Step 1: Grab the Hash

1. 1Power on the laptop. At the Welcome or Region screen, don't click anything. Press Shift + F10 to open a command prompt.
2. 2Type powershell and hit Enter.
3. 3Run the following commands:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

Type 'Y' if asked.

Install-Script -Name Get-WindowsAutoPilotInfo

Type 'Y' for NuGet.

Get-WindowsAutoPilotInfo.ps1 -OutputFile C:\HWHash.csv

Step 2: Move the Hash to Your USB

Plug in your USB drive. You need to find the drive letter so you can copy the file to it.

1. 1Open DiskPart:

diskpart

1. 2List volumes to find your USB drive letter:

list volume

1. 3Find your USB in the list and note the letter (in this example it's D). Then type exit.
2. 4Copy the file to the USB:

copy C:\HWHash.csv D:\

If you get a "file not found" error, verify you saved it to the root of C: in the previous step. You can check by typing dir C:\HWHash.csv

Get-WindowsAutoPilotInfo.ps1 -OutputFile D:\HWHash.csv -Append

Method 2, Direct Upload (No USB Required)

If you have a solid Wi-Fi or Ethernet connection, you can register the device directly to your O365 tenancy, no USB needed.

1. 1Press Shift + F10 and enter powershell.
2. 2Run the following script:

# 1. Bypass the policy for this specific window
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force

# 2. Install/Update the script silently
Install-Script -Name Get-WindowsAutoPilotInfo -Force

# 3. Upload directly to your Microsoft tenant
Get-WindowsAutoPilotInfo.ps1 -Online

1. 3A login window will appear. If it doesn't, press Alt + Tab.
2. 4Sign in with a Global Administrator or Intune Administrator account. The script uses the Microsoft Graph API to register the device directly.

Uploading the .csv to Intune

Once you have the HWHash.csv file, import it to Intune:

1. 1Go to Microsoft Intune → Devices → Enrollment → Windows Autopilot → Devices.
2. 2Click Import and select your HWHash.csv.
3. 3Wait at least 15 minutes for the device to sync. Once it appears in the list, you're good to go.

Method 3, Graph API Import Script

If you've already got a CSV of hardware hashes and want to automate the import rather than clicking through the Intune Admin Centre each time, you can push them directly via the Microsoft Graph API using PowerShell. This is the fastest option for bulk imports and works well in an MSP or multi-tenant environment.

Run this from a machine that already has internet access and the Microsoft Graph PowerShell SDK installed.

# Install the module if you haven't already
Install-Module -Name Microsoft.Graph -Scope CurrentUser -Force

# Connect with the required scope
Connect-MgGraph -Scopes "DeviceManagementServiceConfig.ReadWrite.All"

# Set the path to your CSV file
$csvPath = "C:\HWHash.csv"
$devices = Import-Csv -Path $csvPath

foreach ($device in $devices) {
    $body = @{
        "@odata.type"       = "#microsoft.graph.importedWindowsAutopilotDeviceIdentity"
        serialNumber        = $device."Device Serial Number"
        productKey          = $device."Windows Product ID"
        hardwareIdentifier  = $device."Hardware Hash"
        groupTag            = $device."Group Tag"
        assignedUserPrincipalName = $device."Assigned User"
    }

    New-MgDeviceManagementImportedWindowsAutopilotDeviceIdentity -BodyParameter $body
    Write-Host "Imported: $($device.'Device Serial Number')" -ForegroundColor Green
}

Write-Host "Import complete. Allow 15 minutes for devices to appear in Intune."

Method 4, Capturing the Hash from Within Windows (USB)

If the device has already been through OOBE and is sitting at the Windows desktop — perhaps a returned machine, a rebuild, or a device you didn't catch at the welcome screen — you can still capture the hash without wiping it. Run the script from within Windows itself and save directly to a USB stick.

This requires the device to be signed into a local or domain account with admin rights. Internet access is not required for this method.

Step 1: Plug in your USB drive

Note the drive letter (e.g. D: or E:). Open PowerShell as Administrator.

Step 2: Run the script

# Install the script from PSGallery
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force
Install-Script -Name Get-WindowsAutoPilotInfo -Force

# Save the hash directly to your USB (replace D:\ with your drive letter)
Get-WindowsAutoPilotInfo.ps1 -OutputFile D:\HWHash.csv

If you're processing multiple devices one after another and saving to the same USB, use the -Append flag so each device appends to the same file rather than overwriting it:

Get-WindowsAutoPilotInfo.ps1 -OutputFile D:\HWHash.csv -Append

Step 3: Upload the CSV

1. 1Take the USB to a machine with access to the Intune Admin Centre.
2. 2Go to Devices → Enrollment → Windows Autopilot → Devices → Import.
3. 3Select your HWHash.csv and wait 15 minutes for devices to sync.

Wait, Do You Actually Need to Do This Manually?

Before you slice open 50 laptop boxes and start typing, check with your hardware vendor (Dell, HP, Lenovo, etc.).

Most major manufacturers offer a Direct-to-Autopilot service. If you provide your Tenant ID and Domain Name at time of order, their factory team can inject the hardware hashes into your Intune portal before the hardware even leaves the warehouse.

This manual method is only really needed when:

• Testing: You need a couple of machines to verify your deployment profile is working.
• Hand-me-downs: Repurposing older gear or refurbished laptops being brought back into the fold.
• Emergency runs: A one-off laptop grabbed from a local shop because someone's machine died and you couldn't wait for a vendor shipment.

Troubleshooting

Deployment is stuck

Use the diagnostics script below. This gives you a colour-coded list of exactly which policy or app is failing.

Install-Script -Name Get-AutopilotDiagnostics
Get-AutopilotDiagnostics.ps1

Error 0x800705b4

Usually caused by a TPM issue due to an incorrect system clock. For example, if the laptop thinks it's 16:45 but it's actually 16:49. Run the below to fix:

w32tm /resync /force

Error 0x80180014

If you're redeploying a laptop that was previously in Autopilot, you must delete the old device record from the Intune Autopilot list first. Intune won't re-enrol a device it thinks it already knows.

"Is it managed yet?"

Run the below to verify the device has pulled its Autopilot profile:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Alternatively, check for the Autopilot marker file:

dir C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC