Mike's MDM Blog

Can you create a Autopilot Hash from WinPE? Yes!

Have you ever wondered if you can harvest the Windows Autopilot Hardware 4k Hash from WinPE like used in MDT/SCCM or similar Deployment Systems? Yes, it is absolutely possible, when you keep an eye on a few details that i will describe here.

First thing that you may notice, you can’t use the official Microsoft Script to gather the Hardware Hash, as it uses a WMI Class (MDM_DevDetail_Ext01)that is not present in WinPE and i also was not able to get it to work in WinPE.

So what now to do? We can use the OA3 Tool from the Windows ADK. Michael Niehaus has a very good article about the hardware hash published a while ago, so i will not go into details here, what it is and what the OA3 Tool is. You can check out his findings here:
Connect the dots: Reverse-engineering an Autopilot hash – Out of Office Hours (oofhours.com)

To get the Hardware Hash using the OA3 Tool, we can simply use the following parameters: 

oa3tool.exe /Report /ConfigFile=.\OA3.cfg /NoKeyCheck

I uploaded the needed Config Files and an example Powershell Script to create a csv File, to GitHub for you:
Scripts/Autopilot at main · mmeierm/Scripts (github.com)

One thing that you have to consider if you want to use self deploying Autopilot Profiles is, as you are creating the Hash (which is basically just a Hardware Inventory) only contains Hardware that is found at the moment of the Hash creation. This means, if you will run this script in WinPE without modifications, you will end up with 4k Hash without TPM Info, and therefore you will get an error in Autopilot if you try to assign a Autopilot Profile that requires a TPM 2.0

So what now? After searching around about how Windows implemented the TPM Module, i found an Article from German BSI (Work Package 5: TPM And “UEFI Secure Boot” Analysis (bund.de)). With this document, i was able to see, that we are missing one critical file in WinPE in order to get TPM to work.
The PCPKsp.dll, which is part of the Key Management System.
But simply copying this file from a Windows 10/11 Client to the RAMDisk of WinPE (X:\Windows\System32\PCPKsp.dll) is unfortunately not enough. After digging around with dumpbin from Visual Studio (DUMPBIN Command Line | Microsoft Learn) i eventually found the needed function to get it to work, we need to call it via rundll32 from within WinPE:


So by adding this part to your script, we are able to get a Hash that contains the needed TPM Infos, so that we are able to assign a self deploying Autopilot Profile (I would recommend to use the PCPKsp.dll from a Windows Installation with a similar OS Build as your WinPE)

#Check if File exists and we are in a booted WinPE Session
If((Test-Path X:\Windows\System32\wpeutil.exe) -and (Test-Path $PSScriptRoot\PCPKsp.dll))
{
#Copy File to WinPE
Copy-Item "$PSScriptRoot\PCPKsp.dll" "X:\Windows\System32\PCPKsp.dll"
#Register the File to be able to be used by the OA3 Tool
rundll32 X:\Windows\System32\PCPKsp.dll,DllInstall
}

Posted

in

by

mmeierm

Tags:

,

Comments

16 responses to “Can you create a Autopilot Hash from WinPE? Yes!”

  1. Gary

    Thanks very much, this saved me hours.

    Reply
  2. Modern OS Provisioning for Windows Autopilot using OSDCloud – Mike's MDM Blog

    […] Task Sequence to install the base Windows Image and upload the Autopilot Hash as described here: https://mikemdm.de/2023/01/29/can-you-create-a-autopilot-hash-from-winpe-yes/ and here: […]

    Reply
  3. Chris

    Thanks for this! I had nearly given up on making this work.

    I did find that I needed to add the WinPE Optional Component “WinPE-SecureStartup” to be able to gather some tpm info.

    I also elected to copy PCPKsp.dll into my winpe’s system32 so that I wouldn’t need to add it when booted. Still need to rundll32 X:\Windows\System32\PCPKsp.dll,DllInstall though.

    It took a bit of finding but the oa3tool was located in C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\Licensing\OA30

    Reply
  4. Rémi

    Hi,

    This article look very great ! Thanks for all this work. I have a question, the Autopilot Hash is not supposed to ne unique ?

    I have tried to get the Hash on Windows on my Virtual Machine and I did all what your wrote in the article. It work very well but the Hash is not the same.

    Any idea ?

    Thank you

    Reply
    1. mmeierm

      Hi, the Autopilot “Hash” is not really a Hash but much more a base64 encoded Hardware Inventory. If you check out the Blog Post of Michael Niehaus, he shows how you can “decrypt” the Hash and check what’s in it. https://oofhours.com/2022/06/03/breaking-down-the-windows-autopilot-hardware-hash/
      tl;dr: It’s different every time, but it does not matter 🙂

      Reply
  5. Stephen

    Hi Michael

    Any chance you know of a way to use the Hash to check for AutoPilot enrolment without installing Windows to get to the OOBE? We buy and sell second hand equipment and would be very grateful if we could automate a check for enrolment.

    Stephen

    Reply
    1. mmeierm

      Hi Stephen,
      I guess it should be possible to check this from WinPE, since Michael Niehaus described in his blog, which parts are sent to Microsoft to determine if a device is enrolled in Autopilot, but I have not yet looked into this this deep to be 100% sure about this.

      Basically I guess, it should be request(s) to ztd.dds.microsoft.com

      https://oofhours.com/2022/08/01/connect-the-dots-from-hardware-hash-to-autopilot-profile/

      Michael

      Reply
  6. Jessie

    Hi,
    I am making a bootable USB Stick with a fat32 partition which it boots from, and an ntfs parttion on which scripts and outputs can be stored on.
    It’s already booting, but I need to set the keyboard input language to de-DE and I tried many different ways but none of them work.
    I also need a powershellscript which gets me the hash and saves it to the same directory as where the ps script was executed from.
    Does someone have the time to solve my problem?

    Jessie

    Reply
    1. Jessie

      Small update, I figured out how to set the input language to de-de!
      Now just the Hash generating script left.

      Reply
      1. mmeierm

        Hi, not quite sure, what you need, the script that is linked in the blog post: https://github.com/mmeierm/Scripts/blob/main/Autopilot/Create_4kHash_using_OA3_Tool.ps1 is doing pretty much exactly that, it creates the .csv File to the path that you specify in the -outputFile option. Do you need something else?

        Reply
  7. Mike

    You are champ for creating this. If only more practical engineers like this worked for Microsoft, we wouldn’t have so many hassles migrating. Worked with very little effort and I added it to my WinPE front end with a button.

    Reply
  8. Zeb

    You sir are my hero! I have been wanting to get this to work for a while! This opens up so much potential for automation. If I ever come across you in person drinks/lunch/dinner whatever is on me!

    Reply
  9. n_j

    This is great.
    It sure would be even greater if it was a Microsoft Supported way of doing it. Any way you would pursue this with the Intune team, to make it official?

    Reply
    1. mmeierm

      To be honest, I don’t think Microsoft will ever support this method officially, since the Hash is technically not complete in WinPE as there are for example drivers missing for components that are part of the Hash. Microsoft always stated, the best experience with Autopilot is when the device get’s added by the OEM / Partner, who don’t need this “workaround” in the first place. Additionally the new Autopilot device preparation works completely without the need of registering a device with a Hash, so I wouldn’t expect Microsoft to invest time in testing and validating this way of gathering a Hash. That said, we are using this method now for more than 4 years and more than 15.000 devices without any issues, but your milage may vary…

      Reply
  10. Thomas

    HI

    Im usb version and trying to copy the PCPKsp.dll to system32 but doesnt seem to want to copy over.

    Any help ?

    Reply
    1. mmeierm

      Hi, do you get any error message?

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *