Settings Reference
The Settings page (accessible to Tenant Admins) controls all aspects of how Autopilot Monitor behaves for your tenant — from security and device filtering, to agent behavior, notifications, and data retention. Below is a reference for every available option.
Enrollment Device Validation
Autopilot Device Validation
Default: Disabled
Validates that only devices registered in your Intune tenant as Windows Autopilot devices can register sessions. When enabled, the backend checks each incoming agent request against the Intune Autopilot device list — unauthorized devices are rejected. Enabling this setting requires granting admin consent for the DeviceManagementServiceConfig.Read.All Microsoft Graph permission.
Corporate Identifier Validation
Default: Disabled
Validates devices against Intune Corporate Device Identifiers (manufacturer, model, and serial number). When enabled, the backend checks each incoming agent request against the corporate identifier list in Intune. Uses the same DeviceManagementServiceConfig.Read.All permission as Autopilot Device Validation. At least one validation method must be enabled — disabling all causes the backend to reject all agent requests.
Hardware Whitelist
Allowed Manufacturers
Default: Dell*, HP*, Lenovo*, Microsoft Corporation
Comma-separated list of manufacturer names that are permitted to register sessions. Wildcards (*) are supported — e.g. Dell* matches any string starting with "Dell". Devices with a manufacturer not on this list will have their session registration rejected by the backend. Set to * to allow all manufacturers.
Allowed Models
Default: * (all models)
Comma-separated list of device model names to allow. Works the same as the manufacturer filter with wildcard support. Use this to restrict telemetry to specific hardware lines, e.g. Latitude*,EliteBook*.
Agent Collectors
Performance Collector
Default: Enabled, 30 s interval
When enabled, the agent periodically collects CPU, memory, disk, and network metrics during enrollment and streams them to the portal. The interval (30–300 seconds) controls how often samples are taken. Disabling this reduces network traffic but removes the performance timeline from session diagnostics. Core collectors (enrollment event tracking, Windows Hello detector) are always active and cannot be disabled.
Hello Wait Timeout
Default: 30 seconds
How long the agent waits for the Windows Hello wizard to appear after ESP exit (range: 30–300 seconds). If Hello does not appear within this window, the agent proceeds with enrollment completion. Increase this value if your devices consistently take longer to reach the Hello screen.
Agent Parameters
Self-Destruct on Complete
Default: Enabled
After enrollment finishes, the agent removes its scheduled task and all agent files from the device. This is the recommended mode — the agent is temporary by design and should not remain on enrolled devices.
Keep Log File
Default: Disabled
Only available when Self-Destruct is enabled. If turned on, the agent's local log file is preserved on the device even after self-destruct. Useful for troubleshooting when you need a local record of what happened.
Reboot on Complete
Default: Disabled
Triggers an automatic reboot of the device once the Autopilot enrollment is detected as complete. When enabled, a configurable Reboot Delay (0–3600 seconds, default 10 s) gives the user a brief window to see the result before the reboot happens.
Geo-Location Detection
Default: Enabled
The agent queries an external IP geolocation service to capture the device's public IP address, approximate location, and ISP at enrollment time. This data appears in the session detail view and can help identify where devices are being enrolled. Disable this if your security policy prohibits outbound requests to third-party services.
IME Pattern Match Log
Default: Disabled
When enabled, the agent writes matched Intune Management Extension (IME) log lines to a local file at %ProgramData%\AutopilotMonitor\Logs\ime_pattern_matches.log. Useful for offline analysis of app deployment patterns captured during enrollment.
Show Script Output (stdout)
Default: Enabled
When enabled, standard output from PowerShell scripts (platform and remediation scripts tracked by IME) is shown in the session timeline. Disable this if scripts may output sensitive data. Note: error output (stderr) is always shown regardless of this setting.
Log Level
Default: Info
Controls the verbosity of the agent's own log file. Info covers normal operation, Debug adds detailed step tracing for troubleshooting, and Verbose produces a full trace of every internal operation. Only change this if actively diagnosing an agent issue — Verbose can produce large log files.
Enrollment Summary Dialog
Show Enrollment Summary
Default: Disabled
Displays a visual enrollment summary dialog to the end user after enrollment completes (on both success and failure). Requires the SummaryDialog companion to be deployed alongside the agent.
Auto-Close Timeout
Default: 60 seconds
How long the summary dialog remains open before closing automatically (range: 0–3600 seconds). Set to 0 to disable auto-close — the user must close the dialog manually. Only available when Show Enrollment Summary is enabled.
Launch Retry Timeout
Default: 120 seconds
How long the agent retries launching the summary dialog when the desktop is locked by credential UI (e.g. Windows Hello setup). Set to 0 to disable retries (range: 0–3600 seconds). Only available when Show Enrollment Summary is enabled.
Branding Image URL
Default: None
Optional URL to a banner image displayed at the top of the summary dialog. Recommended size: 540 × 80 px. Larger images will be center-cropped to fit. Only available when Show Enrollment Summary is enabled.
Agent Analyzers
Local Admin Analyzer
Default: Enabled
Detects pre-enrollment local admin account creation — a known Autopilot bypass technique. The analyzer runs at enrollment start and completion, comparing local accounts against an expected baseline. Unexpected accounts trigger an alert visible in the session detail view.
Allowed Local Accounts
Accounts considered expected on enrolled devices (will not trigger alerts). Built-in Windows accounts (Administrator, Guest, DefaultAccount, WDAGUtilityAccount, defaultuser0–2, etc.) are always allowed and shown as read-only. Use this list to add custom service accounts or local accounts that are expected in your environment. Only available when Local Admin Analyzer is enabled.
Notifications
Notification Provider
Select how you want to receive enrollment notifications. Available providers:
- Microsoft Teams (Workflow Webhook) (Recommended) — In Teams, go to the target channel → Manage channel → Workflows → add "Post to a channel when a webhook request is received" → copy the generated URL. Workflow webhooks are free and do not require a Power Automate Premium license.
- Microsoft Teams (Legacy Connector) (Deprecated) — Uses the legacy Office 365 Connector webhook format (MessageCard). Microsoft has deprecated this method. Existing configurations will continue to work, but switching to Workflow Webhooks is recommended.
- Slack — In Slack, go to your workspace → Apps → Incoming Webhooks → create a new webhook for the target channel → copy the webhook URL.
Webhook URL
The webhook URL for your selected notification provider. Paste the URL generated during the provider setup.
Notify on Success
Default: Enabled (if webhook configured)
Send a notification when an enrollment session completes successfully.
Notify on Failure
Default: Enabled (if webhook configured)
Send a notification when an enrollment session ends in failure. Recommended to keep enabled so failed enrollments are surfaced immediately without having to check the portal manually.
Send Test Notification
Sends a sample notification to your configured webhook to verify the connection is working correctly.
Diagnostics Package
Blob Storage Container SAS URL
An Azure Blob Storage Container SAS URL used for diagnostics package uploads. The SAS URL must grant at minimum Read, Write, and Create permissions at the container level. The SAS URL is stored securely in the backend and never sent to devices — the agent requests a short-lived upload URL from the backend just before uploading. The portal shows an expiry indicator (green, amber, or red) based on the remaining validity of the SAS URL.
Upload Mode
Default: Off
Controls when diagnostics packages are uploaded: Off — never upload, Always — upload after every session, On Failure Only — upload only when the session ends in failure (recommended if storage costs are a concern). Only available when a Blob Storage URL is configured.
Additional Log Paths
Extra log files or wildcard patterns added to the diagnostics ZIP package. Global paths are defined platform-wide by the Galactic Admin and always included. Tenant Admins can add their own paths in addition to the global ones (e.g. custom app logs or third-party agent logs).Environment variables (e.g. %ProgramData%) are expanded by the agent. Wildcards are only supported in the last path segment (e.g. C:\Windows\Panther\*.log).
Data Management
Data Retention Period
Default: 90 days (range: 7–180)
Sessions and their associated events are automatically deleted after this many days. Deletion runs as part of a periodic maintenance job. Reduce this value to limit storage usage; increase it if you need a longer history for auditing or trend analysis.
Session Timeout
Default: 5 hours (range: 1–12)
Sessions that remain in In Progress state beyond this threshold are automatically marked as Failed – Timed Out by the maintenance job. Set this to match (or slightly exceed) your Enrollment Status Page (ESP) timeout so stalled sessions don't permanently inflate your in-progress count.
Team Management
Team Members & Roles
Manage who has access to the portal and at what level. New members are added by entering their UPN (e.g. user@contoso.com). The first user to sign in for a tenant is automatically granted Admin rights. Each member is assigned one of three roles:
- Admin — Full access to all tenant configuration, sessions, diagnostics, and settings.
- Operator — Can view sessions, manage settings, and execute actions on devices.
Bootstrap Sessions is an optional feature that is enabled on request only. To get access, open a GitHub issue to request activation for your tenant.
Bootstrap Sessions
Bootstrap Tokens
Bootstrap tokens allow new devices to register with Autopilot Monitor before device validation is fully configured. Each token generates a unique short code and URL that can be shared with technicians or included in provisioning scripts. Tokens have a configurable validity duration (1 h, 4 h, 8 h, 24 h, 48 h, or 7 days) and can be revoked at any time. The token list shows status (Active, Expired, Revoked), creation date, expiry, creator, and usage count. A copy button provides both the URL and a ready-to-use PowerShell command.
Danger Zone
Offboard Tenant
Permanently and irreversibly deletes all tenant data: sessions, events, analyze rules, audit logs, configuration, and all admin accounts. You will be signed out immediately. This action requires typing OFFBOARD as a confirmation step and cannot be undone.
Autopilot Monitor v1.0.0