Autopilot: Let there be conversion

Last Updated on November 10, 2022 by rudyooms

This blog will be about an old existing Autopilot feature called “Convert All targeted devices to Autopilot”. I decided to dedicate a small blog to this wonderful feature to explain the simple flow behind it.

I will divide this blog into multiple parts

  1. Introduction
  2. The flow
  3. ./devdetail/ext/devicehardwaredata
  4. Duurt lang!!! (Yes In dutch)
  5. What have we learned

1. Introduction

In one of my other blogs I was already mentioning some stuff about this wonderful feature to convert existing devices to Autopilot devices but I decided to and remove that part and dedicate a unique blog to it. Let’s proceed, shall we?

There are some precious moments in life when it could be hard to fetch the Autopilot 4k Hash yourself from the device. Luckily Microsoft has got us covered! About 4 years ago, Microsoft introduced the feature to “convert all targeted devices to Autopilot”

With this wonderful feature, you could make sure that your already Enrolled Azure Ad Joined devices were “converted” to Autopilot devices. This feature saves you some trouble fetching the 4k Hardware Hash yourself, isn’t that nice?

The name “converted” is maybe a wrong chosen word as people could think that the “old” device was removed after it was converted but of course, that’s not the case!

As mentioned earlier, it works with existing Azure Ad Joined devices but it’s good to know that it also works with existing Azure Ad Registered devices that are enrolled into Intune. Let’s go forth and check out how it works with AADR devices

2. The Flow

Let’s start with the flow to make things a bit more clear, so please take a look at it before reading further!

As shown above, we have 3 major requirements! Let’s start with the first one: The device needs to be enrolled into Intune. So if you have made sure your AADR is enrolled with Intune/MDM, Intune could fetch the 4k Hardware Hash by levering the ./devdetail/ext/devicehardwaredata CSP.

The second requirement that I am showing, would be that the device NEEDS to be marked as corporate. As shown below, if the device ownership is configured as “Personal” the “conversion” isn’t going to work! Personal devices and Autopilot, it’s like #Intunebeer and Google Workspace. They don’t go well together!

So please make sure the AADR device ownership is changed to “Corporate” to make sure the Autopilot Deployment Service will accept the device

If (device.ownership -eq “Corporate”){
Write-host “It’s all fine!!!!, lets enroll that device into the Autopilot service”
}Else{
Write-host “You shall not pass!!! I am not accepting your personal shit”}

I guess it’s pretty obvious that you need to make sure that the Autopilot Profile with the “Convert All targeted devices to Autopilot” setting in it is assigned to the group the AADR device is a member of.

3. ./devdetail/ext/devicehardwaredata

In this part, I am going to tell you some additional funny details about the ./devdetail/ext/devicehardwaredata CSP. This CSP is responsible for fetching the Raw Blob 4k Hardware Hash from your wonderful Intune enrolled device.

Afbeelding met tekst

Automatisch gegenereerde beschrijving

I guess we all remember this one, right? As shown below, when fetching the 4k Hardware Hash ourselves we could also use PowerShell and call up on the same ID

(Get-CimInstance -CimSession (New-CimSession) -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter “InstanceID=’Ext’ AND ParentID=’./DevDetail'”).DeviceHardwareData

Another possibility to get some details about this 4k Hardware Hash on your Azure Ad Registered device is by opening the registry:

Software\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\node\ key and search for DeviceHardwareData

Afbeelding met tekst

Automatisch gegenereerde beschrijving

As shown above and below, by the looks of it this registry key contains the Hardware Hash. When reassembling this value we will end up with the reconstructed hardware Hash

Afbeelding met tekst

Automatisch gegenereerde beschrijving

Besides looking at the registry, you could also look at what is going on with the use of the SyncML tool, you will notice that even when the device isn’t a Converted Autopilot device, Intune is asking the device to find and fetch the 4k Hardware Hash

Afbeelding met tekst

Automatisch gegenereerde beschrijving

I was expecting to only notice this CSP at the moment the device was being enrolled into the Autopilot Deployment Service but I guess that’s not the case.

4. Duurt Lang!! (In Dutch)

I guess as we say in Dutch, Duurt lang!!. Sometimes it really takes a long time before the existing Azure Ad Registered Corporate marked device has been enrolled into the Autopilot Deployment Service and has been assigned the proper Autopilot profile

Afbeelding met tekst

Automatisch gegenereerde beschrijving

Microsoft is telling us that we need to “Allow 48 hours for the registration to be processed.” But most of the time it will be processed within a couple of hours. Some time ago I had 1 device that just refused to convert to an Autopilot device even when it was marked as a corporate device.

Of course, I could upload that hash myself but that wouldn’t be fun right?

Doesnt-sound-fun GIFs - Get the best GIF on GIPHY

So I decided to see if I could speed it up a bit. Before proceeding, I made sure the device was in the group targeted by the Autopilot profile.

I opened a nice cmd and put it in the Dsregcmd /leave command (or click on disconnect in the Access Work or School settings). After waiting a couple of minutes I clicked on the connect button again

Afbeelding met tekst

Automatisch gegenereerde beschrijving

This time it took about an hour before the device was converted to an Autopilot device. Of course, this isn’t the best practice but I was curious if there was anyhow another option instead of waiting to “convert” the existing device to an Autopilot device

5. What have we learned?

When looking back at the flow, let me explain a bit more about what I was trying to explain.

When you want to enroll a new device into the Autopilot Deployment Service you would probably use the get-windowsautopilotinfo PowerShell Module to upload the required Hardware Hash. By doing so you will be prompted to enter your Microsoft 365 account that is allowed to perform this action

With the convert all targeted devices to Autopilot option, we don’t need to perform additional authentication. Is that weird? No, of course not!

If you have read my previous blogs mentioning the Intune MDM device cert you would probably know why but then again let me explain it again a bit more.

When your device is enrolled into MDM/Intune, trust is born between the device and Intune by using a nice certificate. With this trust relationship, the Intune service has direct access to the device to fetch the Hardware Hash by using the CSP (/devdetail/ext/devicehardwaredata) I mentioned earlier.

The wonderful Intune service also has direct access to the back end of the Autopilot Deployment service to create the “virtual Autopilot Device” with the DeviceHardwareData it fetched from the device. How else should it be possible for us to upload a CSV to create the Autopilot devices?

The last step will only be performed if your device is marked as corporate in Intune, otherwise, you could wait until the end of days to have your AADR device converted to an Autopilot Device

Conclusion:

This “convert” option isn’t new but still, It was a bit fun to look at it and the flow behind it. I guess I was a bit busy with my day-to-day job so I didn’t have the time to perform a deep dive this week. Hopefully, you enjoyed it!

I really hope you enjoyed it. | Enjoyment, Cool gifs, Enjoy it

Leave a Reply

Your email address will not be published.

2  +  1  =