The Autopilot Monitor agent is a lightweight .NET application that runs on the device during the Windows Autopilot enrollment process. It collects real-time telemetry about enrollment phases, app installations, policy processing, and system events — then streams everything to the backend for live monitoring and analysis.
Although the agent arrives on the device via the bootstrapper script — typically a few seconds after MDM enrollment begins — it does not miss any earlier activity. The Intune Management Extension (IME) has been writing detailed log files from the very start of enrollment, and the agent reads those logs from the beginning on its first launch. This backfill mechanism ensures complete coverage of the entire enrollment timeline, with no blind spots.
The result is a complete, chronologically accurate record of every app installation, ESP phase, and enrollment signal from T=0 — regardless of when the agent was installed on the device.
Agent binaries are protected by SHA-256 integrity verification at two stages: during download (package integrity) and at runtime (executable integrity). This ensures the binary has not been tampered with, corrupted during transfer, or modified after installation.
All communication uses HTTPS (TLS 1.2+). The agent authenticates to the backend using the device's MDM client certificate, ensuring only authorized devices receive configuration data.
The agent accepts command-line parameters for testing, debugging, and advanced scenarios. These are passed when launching the agent executable directly.
Session & Lifecycle
Deletes existing session data and starts a fresh session. Useful when the agent needs to be restarted on a device without carrying over stale data from a previous run.
Suppresses self-destruct after enrollment — agent files and the scheduled task remain on the device. Helpful for post-enrollment debugging and log analysis.
Preserves the log directory during self-destruct. Logs remain on disk for later analysis even after the agent cleans up everything else.
Reboots the device after enrollment completes. The reboot is delayed by 10 seconds by default (configurable via the remote configuration). Useful when a reboot is required to finalize device setup but not configured as a tenant default.
Disables geo-location detection. The agent will not attempt to resolve the device's geographic location via IP-based lookup. Useful in restricted network environments or when location data is not desired.
Authentication & Bootstrap
Provides a bootstrap token for pre-MDM authentication during OOBE, before an MDM client certificate is available on the device.
The agent waits for the MDM client certificate to become available before starting monitoring. Timeout can be configured with --await-enrollment-timeout.
Maximum time in minutes to wait for the MDM certificate. Default: 480 (8 hours).
Testing & Replay
Custom path to IME log files. Allows testing with logs collected from other devices without running a real enrollment.
Replays real IME log files from the specified directory and simulates a complete enrollment in fast-forward. Creates a real session in the backend — device information is collected from the current machine (WMI/Registry), while enrollment events are extracted from the log files. Ideal for testing, demos, or analyzing past enrollments without waiting for a live enrollment.
Time compression factor for log replay. Default: 50. A factor of 50 means a 50-minute enrollment replays in approximately 1 minute. Delays between events are divided by this factor, capped at 5 seconds per delay.
Example — Replay a captured enrollment
Replays a previously captured enrollment at 100x speed, creating a full session visible in the dashboard.
Parameters like --replay-log-dir are intended for testing and development environments only — do not use them in production deployments.