Documentation

Name: Autopilot Monitor
Author: Oliver Kieselbach

Agent Changelog

User-facing changes to the Autopilot Monitor agent, newest first. Only includes changes that affect agent behavior on the device.

Agent reports self-update events so updates are visible in the session timeline
Emergency channel — agent can send distress signals when it detects critical failures
ESP "resumed" event is now only emitted for Hybrid Join scenarios (avoids noise on other paths)
Improved crash recovery — completion state is persisted so the agent can resume correctly after an unexpected restart

Agent crash detection — crashes are automatically detected and reported to the backend
SHA-256 integrity verification for agent downloads (bootstrapper + self-updater verify hash before install)
Reboot tracking — reboots during enrollment are now tracked and visible in the timeline
NTP time sync check with clock skew warning when device time is significantly off
Automatic timezone detection and configuration
SecureBoot certificate collection for security posture reporting
IME process watcher — detects when the Intune Management Extension starts or stops
Network change detection — captures network adapter changes during enrollment
Agent self-update mechanism — outdated agents in the field update themselves automatically
Unrestricted mode option (per-tenant) to disable most guard rails
Notification system reworked — supports Teams (legacy + Workflow), Slack, and custom webhooks

Software inventory collection with automatic vulnerability correlation (CVE matching)
Hardware specification event — detailed hardware info collected and reported
Agent shutdown event — clean shutdown is now explicitly tracked
Postponed app detection and handling during enrollment
Self-deploying mode detection and event tracking
Enrollment summary dialog shown on the device after enrollment completes
ESP provisioning status tracking — catches non-IME errors like certificate failures
PowerShell script execution tracking during enrollment
Clock skew detection with geo-location failure reporting
Community analyze rules support

Bootstrap session support — monitoring starts before MDM enrollment (during OOBE)
ESP configuration detection — identifies ESP settings on the device
TPM info collection for device details
Activity-aware idle timeout replaces fixed 4-hour collector limit (default: 15 min idle)
Reliable session end-detection for all deployment scenarios (user-driven, pre-provisioning, hybrid)
Network performance data collection (latency, throughput)
Geographic location support via IP-based lookup
Emergency break — remote kill switch to stop agents
Automatic retry on transient backend errors
Custom User-Agent header for easier firewall allowlisting
ESP state tracking via registry watcher
XML and JSON file gathering in diagnostics
Configurable --await-enrollment parameter for pre-enrollment wait

Pre-Provisioning (White Glove) support — full end-to-end monitoring of pre-provisioning sessions
mTLS for all agent-to-backend communication (consolidated endpoints)
Diagnostics SAS URL fetched on-demand — no longer stored on disk
Max collector duration policy (configurable per tenant)
Diagnostics package upload from device
Configurable reboot-on-complete and keep-logfile options via remote config
Configurable diagnostics log paths (global + per-tenant)
Lenovo model detection fix (WMI query)