Connect the dots: Remediating the Autopilot hardware hash

It’s a common problem: You send a PC off for repair and it comes back with a different hardware component and is no longer recognized as an Autopilot-registered device. In an attempt to help with this, Microsoft mentioned during a recent AMA that a new feature was added to Autopilot to help automate the remediation process. (See Johan’s notes here.)

But apart from a new WindowsAutopilot CSP added in the documentation, there wasn’t much detail on what’s going on with this. But that documentation is enough to dig in deeper. Using my own MDM server, I made a “get” request to this OMA-URI:

./Vendor/MSFT/WindowsAutopilot/HardwareMismatchRemediationData

just to see what it returned. It was a big chunk of base64-encoded stuff, but decoding it shows something more useful (I broke it into multiple lines to make it easier to read):

{
“CachedHardwareBlob“:””,
“CurrentHardwareBlob“:”T0EGBAEAHAAAAAoA6ANGYgAACgDoA0Zi0xd8KuQCCQgCABAACQABAAEAAgABAAAABQAZAAQAAAAAAAAAAAgAAAAAAAACAAEAAwMAEQBBdXRoZW50aWNBTUQABAA0AEFNRCBSeXplbiBUaHJlYWRyaXBwZXIgUFJPIDM5NDVXWCAxMi1Db3JlcyAgICAgAAYAEACIAAAAAAAAAAoA/wEHAB4AfFZpcnR1YWwgRGlzayAgICB8TXNmdCAgICAIAB4AAAAAAAAVXenbbwwAAABWAE0AQgBVAFMAAAAJABAAAAAAAAAEAAP/////GwAIAAAAAAAKAAkAAwEBAAANAFYAVFBNLVZlcnNpb246Mi4wIC1MZXZlbDowLVJldmlzaW9uOjEuMTYtVmVuZG9ySUQ6J01TRlQnLUZpcm13YXJlOjUzODI0NzQ0My4xMzk0NzIyABkABAGp8Yu54jr1cGTCjqRSYPycs05AsOulrKuzmVVXkr9ma/AxvBRUqMvaui5Ubvi8wz6SSkB5bzBXOGb4TgafmIXkJREHpGZCZfMXdDtBnN4t1lo+kd1+2BBtDEmzWFo8aKI9LRo2G2MM/hINAjDXuuQcEI7zBXdfw+4tT4GBjHkYXvoWkSCpiEMDlHZVu6bq+RCGI/OpQG4hBYNKRyBQ8F/SREvEAWMYg2jn3SGiWPaSZj/ZmDDBsnI0/0QRfCKDvlkKfOLjp2nuWVMhzyCT0tC3c/galCNjAELJt8QM/ukKV4aL5V033PrfbwHNjeY2iV+meT9LlDhLrl/Z8XMXmWZlCwAuAAAAAAABACAAAADQsFnSvrbyk0HOljdNOXiAksuIqDajr3uebzoqQEY5OwwAFAAhrnu0kZJvTZh2tPCyqPeODgAlADM3NjItNjAzMS05MzUxLTg3NTgtODIyMi05NjAxLTI4AA8AGgBNaWNyb3NvZnQgQ29ycG9yYXRpb24AEAAaAE1pY3Jvc29mdCBDb3Jwb3JhdGlvbgARABQAVmlydHVhbCBNYWNoaW5lABIACQBOb25lABMAFABWaXJ0dWFsIE1hY2hpbmUAFwAeAEh5cGVyLVYgVUVGSSBSZWxlYXNlIHY0LjEAFAAaAE1pY3Jvc29mdCBDb3Jwb3JhdGlvbgAVABQAVmlydHVhbCBNYWNoaW5lABYAHgBIeXBlci1WIFVFRkkgUmVsZWFzZSB2NC4xABwAHwB8VmlydHVhbCBEaXNrICAgIHxNc2Z0ICAgIAAdABYAAAAAAAAAAAAAAAAAAAAAAAEBHgBGAE0AaQBjAHIAbwBzAG8AZgB0AHwATQBpAGMAcgBvAHMAbwBmAHQAIABIAHkAcABlAHIALQBWACAAVgBpAGQAZQBvAENTJABy2QYpexwia8dpbQ73QfQrEk8ExiCMkhVpx6mcwE14oAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA”,
“IsUefiSupported“:1,
“AutopilotDeviceMarker“:”{6AD69116-2BDA-4FDC-901C-F9DF7AA6EFE8}”,
“AutopilotProfile“:”{”PolicyDownloadDate”:”2022-08-02T17:11:34Z”}”,
“MsaTicket“:”t=EwDQAriJBAAUddA6zngsL7KEFcEo6HFyWEUUVPwAAQ9oiVaIi5wnAtL7qX34uw6EG2GLaM6ReYyfY3AsmuQUw595G+3sfulr1TvSdZxijrNOv1x0TRFexru0j9jOUTYW7PJeGJy11kZeA8dS2q2f/bGcP82vm1bQR1OLITL5QpNZlZjsxv+ckrcvQ1cYnNVTvSHujJvpIAsOKnEdouHuPsIn2tEIix5pEz/2Huu+RAQTx3bMqSiJtUNdjZG8rG6fe9OgURr7AhMPXdQiHr63nIom/+P0v2KrhU1GsqvMbagHp3e8CDxhaC7zGrhhjadY5atJuGJkb4PcmLMd5oUAKxa3jX1FjNglsVhFIpwGZNEK5a4lkh+Dt4LyWV8pI6oDZgAACEqo52x5qrL/oAHoFDqldTyFGOUp/Jc5KxBwbP9xJYYZiAdL4Waz97L5zyyDVO9q2XG71qC3j+Uk34j2EdhYqE4orqrDnd2Q0OFIx0ciSpzKo1uiWHSk8hHPiAeTjfH1Vj7N2ei9DTGn4999xuC6Dpt1oD1KRvKHftD+H/8FrVzfBMK5265YmYThex2SKDVVbFA8QTRPbT6GY0UBk0c4riIad8Y4/wV3wr29W6pczPVJTlZWP7gRloGaLnqygsc4Y/cZfcG59ObCxMRCaSXiw2QdtvK/ingSe1vy5wJ6SiO24kr8dzX3TpyT5frX2XnGRgpHHzuaZHpuoeYoKZL8S9eLHCOYMNkaoUShZoopPaqQ4AahOd2AC8TRsepQbuDguNauYqv7zqJlcPYqBWlRN9hRoo0Wb6yCjQ7ajOtGGxUynP9Mh+sUKj2RU7Nidq1IH8uYzOVit4xWag+MIGlPmlNylw2c3ht0holM53ZQRvMB8K/5/pJSHAnVOTrs9zhckV6VjWdtpvbRKdhNmnJNm9YD6+s44+d+t6M/oJ29lIWEetAg3tr0K3OF69kB&p=”}

So let’s go through each of those fields:

• CachedHardwareBlob. Presumably this tracks the most recent “good” Autopilot hash, which would be stored somewhere on the device. In this case, I had a brand new Windows 11 Pro 25158 install, so there was no cached value. Maybe the next time a value is requested via this OMA-URI, it would get a value.
• CurrentHardwareBlob. This is the current hardware hash, the same as if you retrieved it using PowerShell or using the DevDetail CSP (./DevDetail/Ext/DeviceHardwareData).
• IsUefiSupported. No idea why this is needed, but it doesn’t need much of an explanation.
• AutopilotDeviceMarker. No idea what this is, other than a GUID that presumably was generated specifically for this device.
• AutopilotProfile. This is the Autopilot profile that was received by the device — since my device wasn’t registered with Autopilot, it’s empty.
• MsaTicket. This one is fascinating, if you read through my previous blog post. I mentioned in that post that if you had this ticket you’d be able to request the Autopilot profile for the device (more on that below). But here, I think it’s sending this to the service so that the service can “impersonate” the device and perhaps update it on the back end (Passport.Net).

The MSA ticket really is the most fascinating piece of this. It lets you do something like this:

(Again, my device wasn’t registered with Autopilot, so that 807 error is expected. If it were registered, you would have seen JSON like in the previous blog.)

Going back to my previous blog that used Fiddler to capture the retrieval of the Autopilot profile, this does the equivalent using PowerShell. It was just that MSA ticket that was missing. Too bad this data doesn’t appear to be available via the WMI bridge to make it easier to retrieve client-side.

Entertaining 🙂

One final note: I don’t see how this would address the problem if the hard drive isn’t preserved (e.g. replaced at the same time as the motherboard), since you wouldn’t then have the original hardware hash. Hopefully OEMs always put the original drive back, intact…