# Fixing Autopilot devices' hash-mismatch  issues using Intune on-demand remediations

# Problem

It happens that the hardware hash of your Autopilot device gets changed. Thanks to the replacement of the motherboard or some other issue. This can lead to future problems when your users need to reinstall the operating system, but the Autopilot process doesn’t kick in because of a hash mismatch.

You can retrieve Autopilot devices with a hash mismatch using the following PowerShell code:

```powershell
Connect-MgGraph

Invoke-MgGraphRequest -Uri "beta/deviceManagement/windowsAutopilotDeviceIdentities" | 
Get-MgGraphAllPages | ? RemediationState -NE 'noRemediationRequired' | 
select DisplayName,SerialNumber,RemediationState
```

And the result can look like this

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1761299455331/0556bd36-c7ec-45fd-abc9-b3f78ab22ddb.png align="center")

* `AutomaticRemediationRequired` means Intune should automatically remediate this issue (you can ignore it)
    
* `ManualRemediationRequired` and `Unknown` mean you have to solve this on your own
    

In the Intune portal, you can see the issues in `Profile status` column like below

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1761298507557/c1701b70-cdb7-48b8-9f5c-c8cb75a95794.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1761311731373/3f2c29e1-bff9-4889-ba67-86bdead5164b.png align="center")

**The problem is that the change of the autopilot hash is not possible for already enrolled devices** 😕

---

# Solution

So, how to fix the autopilot hash mismatch?

By creating **automation that gathers the current hash for problematic devices using an on-demand remediation script**. This way, you can easily import the retrieved hash when the device needs to be reset without bothering your users.

If you implement my solution, you will see new on-demand remediations, like in the screenshot below, named in form `_invCmd_<datetime>_<serialNumber>_getAutopilotHash`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1761298252931/9cbefb49-33fd-4a49-8301-020cc6f04e94.png align="center")

And using the following code, you will be able to get the remediation result (hash string) and import it to the Autopilot database

```powershell
$hash = Get-IntuneRemediationResult | select -ExpandProperty ProcessedOutput # choose the correct remediation (based on device serialNumber)

Upload-IntuneAutopilotHash -psObject $hash -Verbose
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1761314277714/d6ca8b83-b5c3-41ab-8026-58eb7441eecc.png align="center")

## Prerequisites

* Option to use Intune on-demand remediations
    
* Option to create an Azure Automation or an Enterprise Application that will be used in an on-prem scheduled task
    
* Automation account Graph api permissions
    
    * DeviceManagementManagedDevices.Read.All
        
    * DeviceManagementManagedDevices.PrivilegedOperations.All
        
    * DeviceManagementServiceConfig.Read.All
        
    * DeviceManagementConfiguration.ReadWrite.All
        
    * DeviceManagementScripts.ReadWrite.All
        
* Automation code PowerShell modules
    
    * Microsoft.Graph.Authentication
        
    * Microsoft.Graph.DeviceManagement
        
    * Microsoft.Graph.Beta.DeviceManagement
        
    * CommonStuff
        
    * MSGraphStuff
        
    * IntuneStuff
        

## How to

In automation of your choice (Azure Automation or on-prem scheduled task), run the PowerShell script [autopilotHashFix.ps1](https://github.com/ztrhgf/azure_automation_runbooks/blob/main/autopilotHashFix.ps1)

<div data-node-type="callout">
<div data-node-type="callout-emoji">💡</div>
<div data-node-type="callout-text">The script is meant to be run using Azure Automation managed identity, but you can rewrite the authentication part to use an Azure Enterprise application instead (<code>$null = Connect-MgGraph -TenantId $_yourTenantDomain -ClientSecretCredential $SPCred</code>)</div>
</div>

Don’t forget to **grant all Graph Api application permissions** mentioned in the Prerequisites step, and also **install all required PowerShell modules**!

---

# Summary

Use Intune on-demand remediations to get Autopilot devices hash for all devices, where the uploaded hash doesn’t match the current one.

This way, you will be ready to import the correct one when the OS reinstall needs to be done without any employee interaction.
