Section 2 of 8
In Progress

2. Registering devices with Windows Autopilot

16th January 2023

Aim: To understand the various methods for registering devices with the Windows Autopilot service. 

Registering a device with Windows Autopilot (Device Directory Service) locks it to your Microsoft 365 tenant. As such, you would only register devices that the organisation owns.  There are three ways to register a device for Windows Autopilot: 

  1. You can authorize the hardware vendor (OEM or reseller) to register Windows Autopilot devices on your behalf. 
  1. Using a PowerShell script, You can harvest the fingerprint on your existing devices.  When harvesting the fingerprint, you can either register it directly with Windows Autopilot or collect many fingerprints in bulk and upload them to your tenant in a comma-separated value (CSV) formatted file. 
  1. You can add devices already in Intune and Azure AD domain joined only to a group to register those devices so they have the Autopilot experience when the PC is reset. 

If a device leaves your organization for a repair or the end of the device life cycle, the device should always be de-registered from the Windows Autopilot deployment service. 

To register a Windows device with the Windows Autopilot deployment service, you need to be able to identify it.  Typically you will use a combination of the device serial number and device fingerprint. 

Note Microsoft’s documentation also refers to the Windows device fingerprint as “hardware ID” and “hardware hash.” This fingerprint is a 4K string retrieved from a running Windows device, which has been added by the manufacturer using the OEM Activation Tool 3.0 (OA3 tool).  You can register a device with Windows Autopilot without the fingerprint if you have the “tuple” – three pieces of information, namely the serial number, manufacturer name, and device model. 

Note also that the hardware hash [fingerprint] changes each time it’s generated because it includes details about when it was generated. When the Windows Autopilot deployment service attempts to match a device, it considers changes like that. It also considers changes such as a new hard drive and can still match successfully. When a device has a motherboard replacement, the changes may not match, so a new hash must be generated and uploaded.