Intune Device Hash Extraction
Several methods can effectively extract a suitable device hash for Microsoft Intune. The first method is the most secure method of extracting and enrolling the device into Intune. All of these methods carry risk with them, before using them you should take your environment and your organization’s risk appetite into account.
Capture the device hash with automatic Intune enrollment
This is useful for endpoints that have a functioning internet connection AND the technician performing this task has sufficient privileges to enroll devices into Intune.
1
2
3
4
5
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
PowerShell.exe -ExecutionPolicy Bypass
Install-Script -name Get-WindowsAutopilotInfo -Force
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Get-WindowsAutopilotInfo -Online
Capture a device hash as a .csv
This can be useful to capture a device hash for later import into Intune. Change the New-Item and Set-Location commands to a directory of your choosing or the D: drive. Useful for when an endpoint will not have internet access available or if the technician performing this lacks sufficient privileges for tenant enrollment.
1
2
3
4
5
6
7
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory -Path "C:\HWID"
Set-Location -Path "C:\HWID"
$env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Install-Script -Name Get-WindowsAutopilotInfo
Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv
Capture and email the device hash
This is useful for when an endpoint has internet connectivity, but the technician has insufficient priileges to enroll devices.
This method is more controversial, due to the way the hash is being transmitted but also because of the authentication method to send it.
I would not use this with a functional user account, but I would suggest looking for a SMTP relay to use as an alternative.
Warning: The scripts below rely on the use of an appication password for use within M365. App passwords, like any password carries risk in enabling them and using them. Consider your organization’s risk appetite before using them.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# Set security protocol
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# Create directory and set location
New-Item -Type Directory -Path "C:\HWID" -Force
Set-Location -Path "C:\HWID"
# Update environment path and set execution policy
$env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned -Force
# Install Get-WindowsAutopilotInfo script
Install-Script -Name Get-WindowsAutopilotInfo -Force
# Get the NetBIOS name of the machine
$netBIOSName = (Get-WmiObject Win32_ComputerSystem).Name
# Define the output file with the NetBIOS name prefix
$outputFile = "$netBIOSName-AutopilotHWID.csv"
# Run Get-WindowsAutopilotInfo script with the output file
Get-WindowsAutopilotInfo -OutputFile $outputFile
# Email settings
$smtpServer = "smtp.office365.com"
$smtpPort = 587
$smtpUser = "<email@address.com>" # Use your Office 365 email
$smtpFrom = "<email@address.com>" # Sender's email
$smtpTo = "<email@address.com>" # Recipient's email
$smtpSubject = "Autopilot HWID File"
$smtpBody = "Attached is the Autopilot HWID CSV file."
$smtpAttachment = "C:\HWID\$outputFile"
# Prompt securely for SMTP credentials
$smtpCredential = Get-Credential -UserName $smtpUser -Message "Enter your SMTP password"
# Send the email
Send-MailMessage `
-From $smtpFrom `
-To $smtpTo `
-Subject $smtpSubject `
-Body $smtpBody `
-Attachments $smtpAttachment `
-SmtpServer $smtpServer `
-Port $smtpPort `
-UseSsl `
-Credential $smtpCredential
The script below is similar to the above section, except the SMTP account credentials are hardcoded.
Danger: The script below is inherently dangerous as it is written to hardcode a credential in plain text. This is poor form and violates sound security principles. Use with extreme caution.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# Set security protocol
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# Create directory and set location
New-Item -Type Directory -Path "C:\HWID" -Force
Set-Location -Path "C:\HWID"
# Update environment path and set execution policy
$env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned -Force
# Install Get-WindowsAutopilotInfo script
Install-Script -Name Get-WindowsAutopilotInfo -Force
# Get the NetBIOS name of the machine
$netBIOSName = (Get-WmiObject Win32_ComputerSystem).Name
# Define the output file with the NetBIOS name prefix
$outputFile = "$netBIOSName-AutopilotHWID.csv"
# Run Get-WindowsAutopilotInfo script with the output file
Get-WindowsAutopilotInfo -OutputFile $outputFile
# Email settings
$smtpServer = "smtp.office365.com"
$smtpPort = 587
$smtpUser = "<email@address.com>" # Use your Office 365 email
$smtpPass = "<smTPpass>" # Use your Office 365 app password
$smtpFrom = "<email@address.com>" # Sender's email
$smtpTo = "<email@address.com>" # Recipient's email
$smtpSubject = "Autopilot HWID File"
$smtpBody = "Attached is the Autopilot HWID CSV file."
$smtpAttachment = "C:\HWID\$outputFile"
# Secure password conversion
$secureSmtpPass = ConvertTo-SecureString $smtpPass -AsPlainText -Force
# SMTP credential
$smtpCredential = New-Object System.Management.Automation.PSCredential -ArgumentList $smtpUser, $secureSmtpPass
# Send the email
Send-MailMessage -From $smtpFrom -to $smtpTo -Subject $smtpSubject -Body $smtpBody -Attachments $smtpAttachment -SmtpServer $smtpServer -port $smtpPort -UseSsl -Credential $smtpCredential