WinPEAP
WinPEAP is a WinPE-based workflow to transition devices to Entra Joined and auto-enroll them into Intune via Windows Autopilot. It uses OSDCloud to build a customized WinPE ISO, injects the 4kAutopilotHashUpload.ps1 script and oa3tool-based hardware hash capture, and uploads the Autopilot hash to Intune during WinPE. Automation spans OS deployment, driver injection, hash registration, and enrollment, with support for user-driven Autopilot profiles and VM testing considerations.
Security Analysis
1 files scanned on Jan 13, 2026
Overall assessment: The script is a legitimate WinPE Autopilot hash collection and Graph API upload tool used in Microsoft Intune workflows. Key security considerations include guarding the AppSecret (prefer certificate-based authentication or managed identity), sanitizing error output to avoid leaking sensitive data, verifying the origin and signing of PCPKsp.dll used for TPM-related operations, and avoiding embedding secrets or credentials in logs or code. No evidence of unauthorized remote script downloads, obfuscated payloads, or hardcoded secrets beyond placeholders. Data transmitted to Graph (hardware hash, serial) is expected for Autopilot provisioning but should be tightly controlled with least-privilege permissions.
You might also like
InToolz
InToolz is a management tool for Microsoft Intune designed to simplify cross-tenant migrations and bulk configuration tasks. It enables tenant-to-tenant copy of Intune content, bulk assignment deployment and removal between groups, profiles, and applications, and mass updates to description fields. Note that the project is a work in progress, with several features planned for future releases.
Jørgen SundetFeature Update Controller
Feature Update Controller is a remediation package for Microsoft Intune that centralizes Windows feature upgrades with configurable setup, scripts, and custom actions. It generates and manages SetupConfig.ini, prestages Script Modules, and configures Custom Actions to tailor upgrade behavior, including post-install and rollback steps. The solution downloads and applies a manifest.json, stages scripts and actions, and supports updating or removing configurations on devices for a consistent upgrade experience.
Nickolaj AndersenIntune Baselines
Intune Baselines provides curated JSON Intune profiles that implement CIS, compliance, and security baselines across Windows, macOS, iOS/iPadOS, Android, and enterprise apps. Built from best practices, Zero Trust concepts, and official CIS benchmarks, these profiles are designed for rapid import into Intune (via Micke-K's IntuneManagement tool). Regularly updated, they support scalable Modern Workplace deployments and testing in diverse environments.
Jan MulderIntuneFirewallMigration
IntuneFirewallMigration is a public-preview tool that migrates Group Policy and local firewall rules into Intune as Settings Catalog policies. It supports selecting specific firewall profiles (Domain, Private, Public) and importing only inbound or outbound rules, using Microsoft.Graph.Authentication with Invoke-MgGraphRequest. The script disables telemetry, requires Graph permissions (DeviceManagementConfiguration.ReadWrite.All), and works with PowerShell 5 or 7 to modernize firewall management in Intune.
Nick Benton