How to Directly Upload Hardware Hashes to an MS Intune MDM Service Without USB
01 So, What Exactly Is a Hardware Hash?
Before we dive into commands, let's talk about what you're actually uploading — because "hardware hash" sounds like something a DevOps person muttered in a fever dream, but it's actually pretty elegant once you understand it.
A hardware hash is a unique cryptographic fingerprint of your device. It's generated by combining identifiers from your hardware — things like the TPM chip, network adapters, disk serial numbers, and BIOS info — into a single 4KB blob of data. Microsoft uses this hash to say: "Yes, this specific physical machine is allowed to enroll into our organisation's Intune environment."
This is the foundation of Windows Autopilot — Microsoft's zero-touch deployment system. Instead of imaging machines manually or mailing them to IT, a new device can ship directly to an employee, they power it on, sign in with their work account, and the machine auto-configures itself. Magic. But only if the hardware hash is registered first.
02 Two Scenarios — Know Which One You're In
The process differs slightly depending on where you're starting from. Make sure you're using the right path:
Brand New Device (OOBE)
Device is fresh out of the box, at the Windows initial setup screen. You haven't signed in yet. This is the ideal time to register — no existing profile to worry about.
Existing / Already-Enrolled Device
Device is already running Windows and signed into an account. You can still extract and upload the hash, but you'll need admin privileges on the machine and in Intune.
Both scenarios use the same PowerShell script. The difference is just how you get to a PowerShell prompt.
03 New Device During Windows Setup (OOBE)
This is the slickest approach. Your device is sitting at the "Let's set things up for your organisation" or the initial region-selection screen — you haven't committed to any setup yet. Here's the trick:
-
1On the OOBE screen, press Shift + F10. This drops you into a plain Command Prompt window. Don't panic — this is expected behaviour and completely safe.
-
2Type
powershell.exeand hit Enter. You're now in PowerShell running as SYSTEM — which means you have full privileges without needing to sign into anything. -
3Run the commands in the next section. You'll need an internet connection — make sure the device is connected to Wi-Fi or Ethernet first.
-
4After the hash uploads successfully, restart the device. Do not continue through OOBE manually. The restart lets Windows Autopilot take over and apply your org's provisioning profile automatically.
04 The PowerShell Commands
One script does it all. Run these four lines in order. Each line has a job — here's what's actually happening under the hood:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned Install-Script -Name Get-WindowsAutopilotInfo -Force Get-WindowsAutopilotInfo -Online
Here's what each line actually does — no hand-waving:
| Command | What It Does | Why It's Needed |
|---|---|---|
[Net.ServicePointManager]::SecurityProtocol = TLS12 |
Forces PowerShell to use TLS 1.2 for all web requests | PSGallery requires TLS 1.2. Older Windows builds default to TLS 1.0 which is rejected. |
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned |
Temporarily allows downloaded scripts to run in this session only | Default policy blocks script execution. The -Scope Process flag means it resets when you close PowerShell — not a permanent change. |
Install-Script -Name Get-WindowsAutopilotInfo -Force |
Downloads the Autopilot script from PowerShell Gallery | This is a Microsoft-authored script. -Force skips the confirmation prompt and overwrites any older version. |
Get-WindowsAutopilotInfo -Online |
Generates the hardware hash and uploads it directly to Intune | The -Online flag triggers a sign-in popup so it can authenticate to your Intune tenant and upload in one step. |
Get-WindowsAutopilotInfo -OutputFile C:\AutopilotHash.csv — useful if you're collecting hashes from multiple machines to bulk-import via Intune.
05 What Happens After You Run It
Running Get-WindowsAutopilotInfo -Online kicks off a short sequence of events. Here's exactly what to expect so nothing catches you off guard:
-
1NuGet install prompt — PowerShell will ask you to install NuGet, the package provider it needs to pull from PSGallery. Type Y and press Enter. This is safe and expected.
-
2Microsoft Entra ID sign-in window — A browser-style login popup appears. Sign in with an account that has Intune Administrator or Global Administrator privileges in your tenant. Your regular user account won't work here.
-
3First-run app permissions — On your very first run ever, Microsoft will ask you to consent to app registration permissions for the AutopilotInfo script. Review them and click Accept. You only see this once per tenant.
-
4Hash extraction and upload — The script reads the hardware hash from the device and uploads it to Intune > Devices > Windows > Windows Enrollment > Devices. This usually takes 15–60 seconds.
-
5Success confirmation — You'll see a message in the PowerShell window confirming the device was added. Note the serial number shown — it's useful for verification in Intune.
06 Verify the Upload in Intune
Never assume it worked — always verify. Here's the exact path in the Intune portal:
intune.microsoft.com
--> Devices
--> Windows
--> Windows Enrollment
--> Devices (under Windows Autopilot Deployment Program)
Look for your device by serial number. The serial number shown in the PowerShell output should match what you see here. If the device appears, you're done. If it doesn't show up within 5 minutes, see the troubleshooting section below.
07 Registering an Already-Running Device
Got a machine that's already set up and running Windows? No OOBE to exploit — but you can still register it. The process is nearly identical, just run from an elevated PowerShell session inside Windows:
-
1Press Win + X and select Windows Terminal (Admin) or PowerShell (Admin). You must run as Administrator.
-
2Run the exact same four commands from Section 4. The script works identically whether you're in OOBE or a live Windows session.
-
3After the upload, you don't need to wipe or restart this device immediately — it will be registered for future Autopilot provisioning. If you plan to reset the device, do it after verifying in Intune.
Get-WindowsAutopilotInfo -OutputFile C:\hash-serialnumber.csv, then bulk-import all CSVs at once via Intune's import feature. Far faster than uploading one at a time.
08 Troubleshooting Common Issues
| Problem | Likely Cause | Fix |
|---|---|---|
| Script won't download from PSGallery | No internet connection or TLS handshake failure | Verify network connectivity. Re-run the TLS line first. On OOBE, confirm Wi-Fi is connected before opening CMD. |
| Sign-in popup doesn't appear | Pop-up blocked or running in a limited shell context | Try adding -Credential (Get-Credential) to the command to prompt for credentials inline instead. |
| Access denied / permission error | Account doesn't have Intune Administrator role | Confirm the signing-in account has at least the Intune Administrator role in Entra ID. Global Reader is not sufficient. |
| Device not appearing in Intune after upload | Sync delay or upload silently failed | Wait 5 minutes and refresh. If still missing, re-run the script. Check Intune's Device Enrollment logs under Diagnostics. |
| Autopilot profile not applying after restart | Profile not yet assigned to device in Intune | In Intune portal, verify the device shows "Assigned" under Profile Status before restarting. Assignment can take 2-5 minutes. |
| Duplicate device entry in Intune | Script was run multiple times | Safe to delete the older duplicate entries. The most recent upload is the valid one. Match by serial number. |
09 Pro Tips Before You Go
Group Tag Your Devices
Add -GroupTag "DEPT-SALES" to the command to automatically assign devices to dynamic Autopilot groups in Intune. Saves manual sorting later.
Assign a Device Name
Use -AssignedComputerName "PC-SALES-001" to pre-set the hostname. The device will rename itself during Autopilot provisioning — no manual renaming needed.
Self-Deploying Mode
If your Autopilot profile uses Self-Deploying mode (for shared/kiosk devices), make sure the device has a TPM 2.0 chip. The hash upload step is the same but provisioning requires TPM attestation.
OEM Direct Registration
Buying new PCs in bulk? Ask your OEM (Dell, HP, Lenovo) to register hashes directly with your Intune tenant at time of manufacture. No script needed at all for new fleet rollouts.
"The first time you watch a brand-new laptop configure itself, join the domain, install all apps, and be ready for a user — all without IT touching it — you'll never want to go back to imaging."
— Every sysadmin who has discovered Autopilot10 You're Done — Go Deploy Something
That's the full picture. What looks like "just run a script" is actually the entry point to one of the most powerful device management workflows Microsoft has built. Nail the hash registration step and the rest of Autopilot flows from it.
Quick recap of what we covered:
| Step | Action | Status |
|---|---|---|
| Understand the hash | Hardware fingerprint = device passport | Concept |
| Choose your scenario | OOBE (Shift+F10) or live Windows session | Easy |
| Run the 4 commands | TLS fix, policy, install, upload | Easy |
| Authenticate to Intune | Sign in as Intune Administrator | Easy |
| Verify in Intune portal | Check Autopilot Devices list | Easy |
| Restart and provision | Only after profile shows Assigned | Important |