hashAndShare

1.0.0

hashAndShare.ps1

                                <#PSScriptInfo

.VERSION 1.0.0

.GUID 6d4f83aa-08c1-48e0-92a9-89f12a9cfd73

.AUTHOR Brandon Dube

.COMPANYNAME Seacoast Data

.COPYRIGHT (c) 2025 Seacoast Data. All rights reserved.

.TAGS Autopilot, Intune, Hash, Enrollment, OneTimeSecret

.LICENSEURI https://opensource.org/licenses/MIT

.PROJECTURI https://github.com/dubedubed0/autopilotHash

.ICONURI https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png

.EXTERNALMODULEDEPENDENCIES

.REQUIREDSCRIPTS

.EXTERNALSCRIPTDEPENDENCIES

.RELEASENOTES

Initial release — securely uploads Autopilot hardware hash to OneTimeSecret for IT enrollment.

#>

<#

.SYNOPSIS

Collects the Windows Autopilot hardware hash and securely uploads it to OneTimeSecret.

.DESCRIPTION

This script is designed for easy execution during Windows OOBE or initial device setup.

It collects the Autopilot hardware hash, serial number, and hostname, then uploads

them to OneTimeSecret as a one-time, expiring payload that can be retrieved by IT.

.EXAMPLE

PS> hashAndShare.ps1

Collects the hardware hash, uploads it, and prints a one-time secret link to share.

.NOTES

- Requires Windows 10 or 11.

- Runs without authentication.

- Safe for execution in OOBE using Shift+F10.

#>

# ==========================================================

#  Windows Autopilot Hash → OneTimeSecret

#  Runs without authentication, ideal for OOBE use

# ==========================================================

# 1️⃣  Collect Autopilot hardware hash (base64)

try {

    Write-Host "Collecting Autopilot hardware hash..." -ForegroundColor Cyan

    $hwData = Get-CimInstance -Namespace root\cimv2\mdm\dmmap -ClassName MDM_DevDetail_Ext01 -ErrorAction Stop

    $hardwareHash = $hwData.DeviceHardwareData

    $serialNumber = (Get-CimInstance Win32_BIOS).SerialNumber.Trim()

    $hostname     = $env:COMPUTERNAME

}

catch {

    Write-Warning "❌ Unable to read Autopilot hash. Are you running on Windows 10/11 OOBE?"

    exit 1

}

# 2️⃣  Combine into a structured JSON payload

$payload = @{

    serialNumber  = $serialNumber

    deviceName    = $hostname

    hardwareHash  = $hardwareHash

} | ConvertTo-Json -Compress

# 3️⃣  Post to OneTimeSecret (no auth)

try {

    Write-Host "Uploading hash to OneTimeSecret..." -ForegroundColor Cyan

    $otsUrl = "https://us.onetimesecret.com/api/v2/secret/conceal"

    $body = @{

        secret = @{

            secret = $payload

            ttl    = 60  # expires in 60 minutes

        }

    } | ConvertTo-Json -Compress

    $otsResp = Invoke-RestMethod -Uri $otsUrl -Method Post -Body $body -ContentType "application/json"

    # Attempt to read either v1 or v2 key structures

    $secretId = $otsResp.record.metadata.identifier

    if (-not $secretId) { $secretId = $otsResp.record.secret.key }

    if (-not $secretId) { throw "Invalid response from OneTimeSecret." }

}

catch {

    Write-Warning "❌ Failed to upload to OneTimeSecret: $($_.Exception.Message)"

    exit 1

}

# 4️⃣  Display the final output

Write-Host ""

Write-Host "✅ One-time secret created successfully!" -ForegroundColor Green

Write-Host "🔗 Share this URL with IT (viewable once):"

Write-Host "    https://us.onetimesecret.com/secret/$secretId" -ForegroundColor Yellow

Write-Host ""

Write-Host "⚠️  Note: The OneTimeSecret link expires in 60 minutes." -ForegroundColor DarkYellow

Write-Host ""