Navigation
IME Log Patterns are regular expressions (regex) that the Autopilot Monitor agent uses to parse the Intune Management Extension (IME) log file in real time. Each line of the IME log is matched against the active patterns — when a regex matches, the agent extracts data via named capture groups and fires the corresponding action, producing a structured event that appears in the session timeline.
Why regex?
The IME log is a plain-text file with no structured format. Regex patterns allow the agent to reliably extract information from free-form log lines — app download progress, install status changes, ESP phase transitions, and more — without depending on a specific log format version.
1. Pattern Matching
The agent reads the IME log line by line. Each line is tested against all active patterns whose category applies to the current enrollment phase.
2. Data Extraction
When a regex matches, named capture groups (e.g. (?<appId>...)) extract values from the log line and pass them to the action handler.
3. Event Generation
The action handler processes the extracted data and emits a structured event — for example an app state change, an ESP phase transition, or an error detection.
Each pattern is a JSON object with the following fields:
| Field | Description |
|---|---|
| patternId | Unique identifier for the pattern (e.g. IME-DOWNLOADING). |
| category | When the pattern is active: always, currentPhase, or otherPhases. |
| pattern | The regex (C# syntax) applied to each log line. Uses named capture groups to extract values. |
| action | The handler that processes the match (e.g. updateStateDownloading). |
| description | Human-readable description of what the pattern detects. |
| enabled | Whether the pattern is active. Disabled patterns are skipped during log parsing. |
| parameters | Optional key-value pairs passed to the action handler for additional configuration. |
Categories control when a pattern is evaluated relative to the current ESP phase:
always
Evaluated on every log line, regardless of the current phase. Used for universal signals like agent version detection, IME restarts, or enrollment completion.
currentPhase
Only evaluated during the active ESP phase. Used for tracking app downloads, installs, and other progress within the phase the user is currently in.
otherPhases
Evaluated for non-active phases. Used to detect apps that were already completed in a previous phase, so they can be filtered from the current view.
Each pattern specifies an action — a handler in the agent that processes the regex match and produces the corresponding event. The action determines what happens when the pattern matches.
| Action | Purpose | Capture Groups |
|---|---|---|
| imeAgentVersion | Detect IME agent version | agentVersion |
| imeStarted | IME agent started | — |
| espPhaseDetected | ESP phase transition | espPhase |
| policiesDiscovered | App policies JSON found | policies |
| setCurrentApp | Set current app being processed | id |
| updateStateDownloading | App download progress | bytes, ofbytes |
| updateStateInstalling | App installation started | — |
| updateStateInstalled | App installation completed | — |
| updateStateError | App error detected | — |
| updateStateSkipped | App skipped | — |
| updateStatePostponed | App postponed | — |
| espTrackStatus | ESP tracked install status | from, to, id |
| updateName | Update app display name | id, name |
| updateWin32AppState | Win32 app state change | id, state |
| ignoreCompletedApp | App already completed in prior phase | — |
| cancelStuckAndSetCurrent | Cancel stuck app, set new current | id |
| enrollmentCompleted | Enrollment completed | — |
Capture groups are the bridge between the regex and the action handler. They use the syntax (?<name>...) to extract specific values from the matched log line.
GUID Placeholder
Patterns can use the {GUID} placeholder, which the agent automatically expands to a standard GUID regex pattern. This avoids repeating the verbose GUID regex in every pattern that needs to match application IDs.
Example 1 — Detect IME Agent Version
Category: always — matches on every log line
// Pattern
Agent version is: (?<agentVersion>[\d.]+)
// Action: imeAgentVersion
What happens
When the IME log contains Agent version is: 1.83.2405.0001, the capture group agentVersion extracts 1.83.2405.0001 and the agent records the IME version for the session.
Example 2 — Track App Download Progress
Category: currentPhase — only active during the current ESP phase
// Pattern
\[StatusService\] Downloading app \(id = {GUID}.*?\) via (?<tech>\w+), bytes (?<bytes>\w+)/(?<ofbytes>\w+) for user
// Action: updateStateDownloading
What happens
Extracts the download technology (tech: DO or CDN), bytes downloaded (bytes), and total size (ofbytes). The agent updates the app state to "downloading" with real-time progress.
Example 3 — ESP Phase Transition
Category: always — critical for tracking enrollment progress
// Pattern
\[Win32App\] (?:In|The) EspPhase: (?<espPhase>\w+)
// Action: espPhaseDetected
What happens
Detects when the IME transitions between ESP phases (e.g. DeviceSetup, AccountSetup). This drives the phase-aware filtering of currentPhase and otherPhases patterns.
Microsoft occasionally changes log formats in the Intune Management Extension. When this happens, existing patterns may stop matching. If you notice that a pattern no longer fires for log lines it should match, you can help by submitting a pull request on GitHub with an updated or new pattern.
Debugging with the IME Pattern Match Log
If you suspect a pattern is no longer matching, enable the IME Pattern Match Log in the Settings page. When enabled, the agent writes every matched IME log line to a local file at %ProgramData%\AutopilotMonitor\Logs\ime_pattern_matches.log. This lets you see exactly which patterns are firing and which log lines are going unmatched — making it much easier to identify what changed in the log format and adjust the regex accordingly.
How to contribute
rules/ime-log-patterns/ directory.IME Log Patterns page
Use the IME Log Patterns page in the portal to browse and filter all active patterns. The page shows each pattern with its regex, action, category, and description. Use the View as JSON toggle to see the full pattern definition — especially useful when preparing a pull request with updated or new patterns.