Documentation

Settings Reference

The Settings page (accessible to Tenant Admins) controls all aspects of how Autopilot Monitor behaves for your tenant — from security and device filtering, to agent behavior, notifications, and data retention. Below is a reference for every available option.

Access Management

Team Members & Roles

Manage who has access to the portal and at what level. New members are added by entering their UPN (e.g. user@contoso.com). The first user to sign in for a tenant is automatically granted Admin rights. Each member is assigned one of three roles:

Admin — Full access to all tenant configuration, sessions, diagnostics, and settings.
Operator — Can view sessions, manage settings, and execute actions on devices.

Admins can enable or disable individual members, update roles, and grant bootstrap token management permissions.

Enrollment Device Validation

Autopilot Device Validation

Default: Disabled

Validates that only devices registered in your Intune tenant as Windows Autopilot devices can register sessions. When enabled, the backend checks each incoming agent request against the Intune Autopilot device list — unauthorized devices are rejected. Enabling this setting requires granting admin consent for the DeviceManagementServiceConfig.Read.All Microsoft Graph permission.

Corporate Identifier Validation

Default: Disabled

Validates devices against Intune Corporate Device Identifiers (manufacturer, model, and serial number). When enabled, the backend checks each incoming agent request against the corporate identifier list in Intune. Uses the same DeviceManagementServiceConfig.Read.All permission as Autopilot Device Validation. At least one validation method must be enabled — disabling all causes the backend to reject all agent requests.

Hardware Whitelist

Allowed Manufacturers

Default: Dell*, HP*, Lenovo*, Microsoft Corporation

Comma-separated list of manufacturer names that are permitted to register sessions. Wildcards (*) are supported — e.g. Dell* matches any string starting with "Dell". Devices with a manufacturer not on this list will have their session registration rejected by the backend. Set to * to allow all manufacturers.

Allowed Models

Default: * (all models)

Comma-separated list of device model names to allow. Works the same as the manufacturer filter with wildcard support. Use this to restrict telemetry to specific hardware lines, e.g. Latitude*,EliteBook*.

Notifications

Notification Provider

Select how you want to receive enrollment notifications. Available providers:

Microsoft Teams (Workflow Webhook) (Recommended) — In Teams, go to the target channel → Manage channel → Workflows → add "Post to a channel when a webhook request is received" → copy the generated URL. Workflow webhooks are free and do not require a Power Automate Premium license.
Microsoft Teams (Legacy Connector) (Deprecated) — Uses the legacy Office 365 Connector webhook format (MessageCard). Microsoft has deprecated this method. Existing configurations will continue to work, but switching to Workflow Webhooks is recommended.
Slack — In Slack, go to your workspace → Apps → Incoming Webhooks → create a new webhook for the target channel → copy the webhook URL.

Webhook URL

The webhook URL for your selected notification provider. Paste the URL generated during the provider setup.

Notify on Success

Default: Enabled (if webhook configured)

Send a notification when an enrollment session completes successfully.

Notify on Failure

Default: Enabled (if webhook configured)

Send a notification when an enrollment session ends in failure. Recommended to keep enabled so failed enrollments are surfaced immediately without having to check the portal manually.

Send Test Notification

Sends a sample notification to your configured webhook to verify the connection is working correctly.

Bootstrap Sessions is an optional feature that is enabled on request only. To get access, open a GitHub issue to request activation for your tenant.

Bootstrap Sessions

Bootstrap Tokens

Bootstrap tokens allow new devices to register with Autopilot Monitor before device validation is fully configured. Each token generates a unique short code and URL that can be shared with technicians or included in provisioning scripts. Tokens have a configurable validity duration (1 h, 4 h, 8 h, 24 h, 48 h, or 7 days) and can be revoked at any time. The token list shows status (Active, Expired, Revoked), creation date, expiry, creator, and usage count. A copy button provides both the URL and a ready-to-use PowerShell command.

Agent Parameters

Self-Destruct on Complete

Default: Enabled

After enrollment finishes, the agent removes its scheduled task and all agent files from the device. This is the recommended mode — the agent is temporary by design and should not remain on enrolled devices.

Keep Log File

Default: Disabled

Only available when Self-Destruct is enabled. If turned on, the agent's local log file is preserved on the device even after self-destruct. Useful for troubleshooting when you need a local record of what happened.

Reboot on Complete

Default: Disabled

Triggers an automatic reboot of the device once the Autopilot enrollment is detected as complete. When enabled, a configurable Reboot Delay (0–3600 seconds, default 10 s) gives the user a brief window to see the result before the reboot happens.

Geo-Location Detection

Default: Enabled

The agent queries an external IP geolocation service to capture the device's public IP address, approximate location, and ISP at enrollment time. This data appears in the session detail view and can help identify where devices are being enrolled. Disable this if your security policy prohibits outbound requests to third-party services.

Set Timezone Automatically

Default: Disabled

Only available when Geo-Location Detection is enabled. Automatically sets the device timezone based on the IP geolocation result using tzutil /s. Useful for shared device scenarios where devices may be enrolled in different time zones.

IME Pattern Match Log

Default: Disabled

When enabled, the agent writes matched Intune Management Extension (IME) log lines to a local file at %ProgramData%\AutopilotMonitor\Logs\ime_pattern_matches.log. Useful for offline analysis of app deployment patterns captured during enrollment.

Show Script Output (stdout)

Default: Enabled

When enabled, standard output from PowerShell scripts (platform and remediation scripts tracked by IME) is shown in the session timeline. Disable this if scripts may output sensitive data. Note: error output (stderr) is always shown regardless of this setting.

Log Level

Default: Info

Controls the verbosity of the agent's own log file. Info covers normal operation, Debug adds detailed step tracing for troubleshooting, Verbose produces a full trace of every internal operation, and Trace enables full diagnostic output including low-level details. Only change this if actively diagnosing an agent issue — Verbose and Trace can produce large log files.

Show Enrollment Summary

Default: Disabled

Displays a visual enrollment summary dialog to the end user after enrollment completes (on both success and failure). Requires the SummaryDialog companion to be deployed alongside the agent. When enabled, the following sub-settings become available:

Auto-Close Timeout

Default: 60 seconds

How long the summary dialog remains open before closing automatically (range: 0–3600 seconds). Set to 0 to disable auto-close — the user must close the dialog manually. Only available when Show Enrollment Summary is enabled.

Launch Retry Timeout

Default: 120 seconds

How long the agent retries launching the summary dialog when the desktop is locked by credential UI (e.g. Windows Hello setup). Set to 0 to disable retries (range: 0–3600 seconds). Only available when Show Enrollment Summary is enabled.

Branding Image URL

Default: None

Optional URL to a banner image displayed at the top of the summary dialog. Recommended size: 540 × 80 px. Larger images will be center-cropped to fit. Only available when Show Enrollment Summary is enabled.

Agent Collectors

Performance Collector

Default: Enabled, 30 s interval

When enabled, the agent periodically collects CPU, memory, disk, and network metrics during enrollment and streams them to the portal. The interval (30–300 seconds) controls how often samples are taken. Disabling this reduces network traffic but removes the performance timeline from session diagnostics. Core collectors (enrollment event tracking, Windows Hello detector) are always active and cannot be disabled.

Hello Wait Timeout

Default: 30 seconds

How long the agent waits for the Windows Hello wizard to appear after ESP exit (range: 30–300 seconds). If Hello does not appear within this window, the agent proceeds with enrollment completion. Increase this value if your devices consistently take longer to reach the Hello screen.

Agent Analyzers

Local Admin Analyzer

Default: Enabled

Detects pre-enrollment local admin account creation — a known Autopilot bypass technique. The analyzer runs at enrollment start and completion, comparing local accounts against an expected baseline. Unexpected accounts trigger an alert visible in the session detail view.

Allowed Local Accounts

Accounts considered expected on enrolled devices (will not trigger alerts). Built-in Windows accounts (Administrator, Guest, DefaultAccount, WDAGUtilityAccount, defaultuser0–2, etc.) are always allowed and shown as read-only. Use this list to add custom service accounts or local accounts that are expected in your environment. Only available when Local Admin Analyzer is enabled.

Software Inventory & Vulnerability Analyzer

Default: Disabled

ExperimentalPre-Release Collects installed software from the Windows registry at enrollment start and completion. Produces a normalized inventory snapshot, detects software installed during enrollment (delta detection), and correlates findings against known vulnerabilities (NVD CVEs, CISA KEV, MSRC).

Diagnostics Package

Blob Storage Container SAS URL

An Azure Blob Storage Container SAS URL used for diagnostics package uploads. The SAS URL must grant at minimum Read, Write, and Create permissions at the container level. The SAS URL is stored securely in the backend and never sent to devices — the agent requests a short-lived upload URL from the backend just before uploading. The portal shows an expiry indicator (green, amber, or red) based on the remaining validity of the SAS URL.

Upload Mode

Default: Off

Controls when diagnostics packages are uploaded: Off — never upload, Always — upload after every session, On Failure Only — upload only when the session ends in failure (recommended if storage costs are a concern). Only available when a Blob Storage URL is configured.

Additional Log Paths

Extra log files or wildcard patterns added to the diagnostics ZIP package. Global paths are defined platform-wide by the Global Admin and always included. Tenant Admins can add their own paths in addition to the global ones (e.g. custom app logs or third-party agent logs).Environment variables (e.g. %ProgramData%) are expanded by the agent. Wildcards are only supported in the last path segment (e.g. C:\Windows\Panther\*.log).To collect logs from the logged-on user's profile, use the %LOGGED_ON_USER_PROFILE% token. Only AppData\Local and AppData\Roaming subdirectories are allowed. Example: %LOGGED_ON_USER_PROFILE%\AppData\Local\RealmJoin\Logs\*.log. During SYSTEM-context phases (before user logon), paths with this token are skipped automatically.Enable Include Subfolders to recursively collect matching log files from all subdirectories. The subfolder structure is preserved in the diagnostics ZIP package.

Unrestricted Mode is an optional feature that is enabled on request only. To get access, open a GitHub issue to request activation for your tenant.

Unrestricted Mode

When enabled, agent guardrails are relaxed: GatherRules can access any registry path, WMI query, and PowerShell/system command. File and diagnostics paths are allowed except C:\Users (always blocked for privacy). Certain dangerous operations (downloads, user creation, boot manipulation, persistence mechanisms) remain hard-blocked even in Unrestricted Mode. This feature requires explicit activation by the platform administrator before it becomes visible in tenant settings.

Data Management

Data Retention Period

Default: 90 days (range: 7–180)

Sessions and their associated events are automatically deleted after this many days. Deletion runs as part of a periodic maintenance job. Reduce this value to limit storage usage; increase it if you need a longer history for auditing or trend analysis.

Session Timeout

Default: 5 hours (range: 1–12)

Sessions that remain in In Progress state beyond this threshold are automatically marked as Failed – Timed Out by the maintenance job. Set this to match (or slightly exceed) your Enrollment Status Page (ESP) timeout so stalled sessions don't permanently inflate your in-progress count.

Danger Zone

Offboard Tenant

Permanently and irreversibly deletes all tenant data: sessions, events, analyze rules, audit logs, configuration, and all admin accounts. You will be signed out immediately. This action requires typing OFFBOARD as a confirmation step and cannot be undone.