Windows Autopilot

CSP partners: Add devices to Windows Autopilot using Partner Center and PowerShell

I’ve given presentations at a variety of events that included this slide, talking about the different mechanisms that are available for registering devices with Windows Autopilot:


For customers, you can register devices using the serial number and hardware hash via Intune.  I published a blog last year that showed how to automate that using PowerShell and the Intune Graph API.  For OEMs, we’ve provided a set of APIs that they can use (with no UI at all, it always automated).  So that leaves partners:  Any CSP partner can register devices on behalf of any customer, as long as the customer consents to that.  See the consent documentation for more details on that process.

So what exactly is a CSP partner?  They are “Cloud Solution Providers.”  You can find more information about the CSP program on the official site, including details about the different types of CSPs that exist.  But from a Windows Autopilot perspective, that part doesn’t matter – any CSP partner can add devices on behalf of any customer, as long as the customer consents.  These CSP partners could be:

  • Resellers
  • Distributors
  • Retailers
  • Service providers
  • Outsourcers

So, if you’re a registered Microsoft partner, you’ve already done the first step.  Becoming a CSP partner is the next step.

Once you are a CSP partner, you can leverage Partner Center to add devices to Windows Autopilot for any of the customers that you have a relationship with.  Sign into Partner Center, click on CSP then Customers, select the customer you want, and click “Devices”:


When you click “Add devices” you can select a CSV file that is similar to the one that is used with Intune, just with two additional columns.  Here’s an example:

Device serial number,Windows product ID,Hardware hash,Manufacturer name,Device model

Notice in this case that there isn’t a hardware hash, just the serial number and the Windows product ID value.  There are a variety of valid combinations, from the Partner Center API documentation:

We recommend always specifying the serial number (mainly so the IT person is always able to figure out which device is which).  But as a CSP partner, you can choose which combination of fields you want.

So let’s change focus to automating this process.  To do this, you need to install a few modules with these PowerShell commands (preferably from an elevated PowerShell session):

Install-Module AzureAD –force
Install-Module PartnerCenter –force
Install-Module WindowsAutopilotPartnerCenter –force

Then, find the WindowsAutopilotPartnerCenter module folder using these commands:

Import-Module WindowsAutopilotPartnerCenter
Get-Module WindowsAutopilotPartnerCenter | format-list

In the same folder as the PSD1 file shown in the “Path” property, there will be a PartnerCenter.xml file.  This needs to be edited (Notepad will do) to specify some key details:


    <!– Production values –>

    <!– Partner-specific settings, must be updated before using the module –>


For the app ID and app secret values, you’ll need to have your Partner Center admin (each partner will have at least one) create an Azure AD app for you; this will be used to authenticate to Partner Center (along with a user ID and password).  See the Partner Center documentation for a PowerShell script that can be used to create this app (a one-time operation).  The PartnerTenantID is the Azure AD tenant ID for your partner tenant (as shown in Partner Center or in Azure AD).

With those three values added, you can then use the module.  You already imported it earlier, so you don’t need to do that again.  Just authenticate, find the customer you want, and then import the batch of machines.  Here’s my example:

PS C:\> Connect-AutopilotPartnerCenter

Account            : Microsoft.Store.PartnerCenter.PowerShell.Authentication.AzureAccount
ApplicationId      : d9e31207-2d74-47ac-a328-1d90436c7f71
AuthenticationType : AppPlusUser
CountryCode        : US
Environment        : GlobalCloud
Locale             : en-US

PS C:\> Get-PartnerCustomer
CustomerId                           Domain                             Name
———-                           ——                             —-
c4f6bf3c-60de-432e-a3ec-20bcc5b26ec2        Acme Corp
e3d700d7-0b42-4373-9501-3eec6d574149          Contoso CM
78a05132-5fda-40fe-99a0-b765ce83eebc    Contoso
278aaea7-4b3f-4a69-a115-ab07bf793396    Fabrikam Corp Inc.
b870bf37-fe75-4db3-9578-ab838438e267      Fabrikam Ltd
e974093c-2a52-4ebd-994e-b3e7e0f90cf2     Fourth Coffee
467266cb-acb5-4cf3-a74c-0345aa0e40de      Northwind Traders
085b2b89-0481-4c13-b5c6-ff215fa3d361    Tailspin Toys
4d85a253-7911-4f67-8023-858670b9ca4b  Wingtip Toys

PS C:\> Import-AutoPilotPartnerCenterCSV -csvFile .\PartnerCenterBatch.csv -CustomerID e3d700d7-0b42-4373-9501-3eec6d574149 -BatchID “Demo Batch”
Batch processed.
Devices successfully added      = 2
Devices not added due to errors = 0

DeviceId         : 50691ec3-b252-45a3-aa84-7aa049e9f214
ErrorCode        : 0
ErrorDescription : None
ProductKey       :
SerialNumber     : 110003260457
Status           : Finished

DeviceId         : f5bee715-405a-4fab-8a1d-605aee45eeb7
ErrorCode        : 0
ErrorDescription : None
ProductKey       :
SerialNumber     : HBNTCX001011462
Status           : Finished

Here’s an overview of those steps:

  • The Connect-AutopilotPartnerCenter function is a fairly simple wrapper that authenticates to Partner Center using cmdlets in the PartnerCenter module.
  • The Get-PartnerCustomer cmdlet is also from the PartnerCenter module.  It lists all the customers that you have access (they have consented to having you as their CSP partner).  Find the GUID of the customer you want.
  • The “Import-AutopilotPartnerCenterCSV function reads the specified CSV file and feeds the devices in it to another function in the PartnerCenter module to create a device batch.  (The device batch name can be anything you want; the value will end up as the “Group Tag” in Intune.)  This function will return some summary details (devices added and not added), followed by a colleciton of the individual results.  If they show an ErrorCode of 0, they were successful; any other value is a failure.  (See for more details on the possible errors.)

It only took me a year to get this script to work – when I initially tried it I gave up in disgust.  (Getting the authentication right using the REST API can be challenging.)  Now, the new PartnerCenter module takes care of almost all the details for you, making this much easier.  (Thanks to Isaiah Williams from the One Commercial Partner team for his work on the PartnerCenter module.)

Categories: Windows Autopilot

7 replies »

  1. I was once told that the combination SerialNumber + OemManufacturerName + ModelName only works for Surface devices. Can you confirm that?


      • Just tried with some HP machines, but it gives the error: ZtdDeviceNotFound

        Can you detect any error in my file?

        Working Surface csv (serials randomized):

        Device serial number,Windows product ID,Hardware hash,Manufacturer name,Device model
        452178925648,,,Microsoft Corporation,Surface Laptop 2,

        Not working HP csv (serials randomized):

        Device serial number,Windows product ID,Hardware hash,Manufacturer name,Device model
        ABC12456G7,,,Hewlett-Packard,HP ProDesk 600 G1 SFF,


  2. The specified values need to match exactly what HP reported when the device was manufactured. HP has used different manufacturer values (HP, HP Inc, Hewlett-Packard, etc.) and has also added other strings to the model. SO the trick is that you need the exact values that HP used. With any luck, those values haven’t changed since the device was manufactured. So you can capture the info from an existing machine using “Get-WindowsAutopilotInfo.ps1” using the “-Partner -Force” switches (“Partner” adds the manufacturer and model columns; “Force” causes it to not capture the hardware hash).


  3. I use the same values as other computers of the same model that I imported manually. I will try the -partner parameter tomorrow to see what it returns.


    • I get the same error using a file generated with the -partner -force parameters. The model and manufacturer are the same.


      • It’s difficult to say what’s out of sync here. The values do need to match what the OEM reported when the device was manufactured; we look up those values to find the hardware hash. You can work around the issue by using the hardware hash (leave off the -Force switch). Otherwise, open a support case via the Intune “Help and Support” link and someone can investigate.