Problem

It happens that the hardware hash of your Autopilot device gets changed. Thanks to the replacement of the motherboard or some other issue. This can lead to future problems when your users need to reinstall the operating system, but the Autopilot process doesn’t kick in because of a hash mismatch.

You can retrieve Autopilot devices with a hash mismatch using the following PowerShell code:

Connect-MgGraph

Invoke-MgGraphRequest -Uri "beta/deviceManagement/windowsAutopilotDeviceIdentities" | 
Get-MgGraphAllPages | ? RemediationState -NE 'noRemediationRequired' | 
select DisplayName,SerialNumber,RemediationState

And the result can look like this

• AutomaticRemediationRequired means Intune should automatically remediate this issue (you can ignore it)

• ManualRemediationRequired and Unknown mean you have to solve this on your own

In the Intune portal, you can see the issues in Profile status column like below

The problem is that the change of the autopilot hash is not possible for already enrolled devices 😕

Solution

So, how to fix the autopilot hash mismatch?

By creating automation that gathers the current hash for problematic devices using an on-demand remediation script. This way, you can easily import the retrieved hash when the device needs to be reset without bothering your users.

If you implement my solution, you will see new on-demand remediations, like in the screenshot below, named in form _invCmd_<datetime>_<serialNumber>_getAutopilotHash

And using the following code, you will be able to get the remediation result (hash string) and import it to the Autopilot database

$hash = Get-IntuneRemediationResult | select -ExpandProperty ProcessedOutput # choose the correct remediation (based on device serialNumber)

Upload-IntuneAutopilotHash -psObject $hash -Verbose

Prerequisites

• Option to use Intune on-demand remediations

• Option to create an Azure Automation or an Enterprise Application that will be used in an on-prem scheduled task

• Automation account Graph api permissions

  • DeviceManagementManagedDevices.Read.All

  • DeviceManagementManagedDevices.PrivilegedOperations.All

  • DeviceManagementServiceConfig.Read.All

  • DeviceManagementConfiguration.ReadWrite.All

  • DeviceManagementScripts.ReadWrite.All

• Automation code PowerShell modules

  • Microsoft.Graph.Authentication

  • Microsoft.Graph.DeviceManagement

  • Microsoft.Graph.Beta.DeviceManagement

  • CommonStuff

  • MSGraphStuff

  • IntuneStuff

How to

In automation of your choice (Azure Automation or on-prem scheduled task), run the PowerShell script autopilotHashFix.ps1

Don’t forget to grant all Graph Api application permissions mentioned in the Prerequisites step, and also install all required PowerShell modules!

Summary

Use Intune on-demand remediations to get Autopilot devices hash for all devices, where the uploaded hash doesn’t match the current one.

This way, you will be ready to import the correct one when the OS reinstall needs to be done without any employee interaction.