IdleMonitor is a lightweight background tool that tracks keyboard and mouse activity for logged-in users. It logs only state changes (Active → Idle and Idle → Active) to a daily CSV file, making it suitable for activity auditing without continuous screen recording or intrusive monitoring.
- Runs silently in the background at every user logon via a Windows Scheduled Task
- Polls every 2 minutes and marks a user as Idle after 5 minutes of no keyboard or mouse input
- Logs only state transitions - not continuous activity - so CSV files stay small
- Each user on a machine gets their own CSV and state file
- Logs are written to
C:\ProgramData\IdleMonitor\
Log file naming: IdleEvents-<username>-<yyyy-mm-dd>.csv
| File | Purpose |
|---|---|
IdleMonitor.ps1 |
The background monitoring script |
RunIdleMonitor.vbs |
Silent launcher - prevents a PowerShell window appearing at logon |
Install-IdleMonitorTask.ps1 |
Installer - copies files, compiles the native DLL, registers the scheduled task |
Uninstall-IdleMonitorTask.ps1 |
Removes both scheduled tasks and deletes all script files (CSV logs are preserved) |
IdleReportGenerator.html |
Offline report tool - converts CSVs into a formatted HTML activity report |
Send-IdleReport.ps1 |
Automated report script - generates HTML reports from CSVs and emails them via Microsoft Graph |
Use this method to install on a single machine without Intune.
Prerequisites: Administrator rights on the machine.
-
Copy the following files into the same folder on the target machine:
IdleMonitor.ps1RunIdleMonitor.vbsInstall-IdleMonitorTask.ps1Send-IdleReport.ps1(configured with your credentials - see Automated Report Delivery)
-
Open PowerShell as Administrator (right-click → Run as administrator)
-
Navigate to the folder containing the files:
cd "C:\path\to\your\folder" -
Run the installer:
Set-ExecutionPolicy Bypass -Scope Process -Force & ".\Install-IdleMonitorTask.ps1"
-
Confirm success - you should see:
DLL compiled to: C:\ProgramData\IdleMonitor\IdleTimeNative.dll Copied: IdleMonitor.ps1 Copied: RunIdleMonitor.vbs Copied: Send-IdleReport.ps1 Folder ACL set - Users can read/execute and write CSV files Locked: Send-IdleReport.ps1 Scheduled task created: AuditMonitor Scheduled task created: IdleMonitorReport Monitor script path: C:\ProgramData\IdleMonitor\IdleMonitor.ps1 Report script path: C:\ProgramData\IdleMonitor\Send-IdleReport.ps1 Started task immediately: AuditMonitor -
Verify the scheduled task was created by opening Task Scheduler (
taskschd.msc) and confirming AuditMonitor appears in the Task Scheduler Library with an At log on trigger.
The monitor starts immediately after install and will also run automatically at every subsequent logon. Both tasks (AuditMonitor and IdleMonitorReport) will be visible in Task Scheduler.
Note: If running the installer manually from
C:\ProgramData\IdleMonitor\rather than a separate folder, you will see copy warnings for each file -- these are harmless. The files are already in place and the warnings do not affect task registration.
Use this method to silently deploy to managed devices at scale.
- Microsoft Intune access
- IntuneWinAppUtil.exe (Win32 Content Prep Tool)
- Defender exclusion policy configured (see below)
Create a folder containing:
IdleMonitor.ps1RunIdleMonitor.vbsInstall-IdleMonitorTask.ps1Uninstall-IdleMonitorTask.ps1Send-IdleReport.ps1(configured with your credentials before packaging - see Automated Report Delivery)
Note: The DLL is compiled on the endpoint by the installer - do not include IdleTimeNative.dll in the package.
Run the following from a command prompt:
IntuneWinAppUtil.exe -c "C:\IdleMonitor-Package" -s "Install-IdleMonitorTask.ps1" -o "C:\Output"This produces Install-IdleMonitorTask.intunewin.
In the Intune portal, go to Apps → Windows → Add → Windows app (Win32) and upload the .intunewin file.
Configure the app with these settings:
| Field | Value |
|---|---|
| Name | IdleMonitor |
| Install command | powershell.exe -NoProfile -ExecutionPolicy Bypass -File Install-IdleMonitorTask.ps1 |
| Uninstall command | powershell.exe -NoProfile -ExecutionPolicy Bypass -File Uninstall-IdleMonitorTask.ps1 |
| Install behavior | System |
| Device restart behavior | No specific action |
Use a File detection rule:
| Setting | Value |
|---|---|
| Rule type | File |
| Path | C:\ProgramData\IdleMonitor |
| File or folder | IdleMonitor.ps1 |
| Detection method | File or folder exists |
Before deploying, create an Antivirus policy in Intune to prevent Defender from blocking the DLL compilation step.
Go to Endpoint Security → Antivirus → Create policy → Windows 10 and later / Microsoft Defender Antivirus and add the following path exclusion:
C:\ProgramData\IdleMonitor\
Assign this policy to the same device group as the app and ensure it deploys before or alongside the app.
- Assign the app to a Device group (not users)
- Deploy the Defender exclusion policy to the same group
- Monitor deployment status in Intune - check
C:\ProgramData\IdleMonitor\Install.logon any device for a full transcript of the installation
Update the app assignment to Uninstall for the target device group. Intune will run Uninstall-IdleMonitorTask.ps1 automatically.
Run the following as Administrator:
Set-ExecutionPolicy Bypass -Scope Process -Force
& "C:\path\to\Uninstall-IdleMonitorTask.ps1"- AuditMonitor scheduled task
- IdleMonitorReport scheduled task
- All script and support files from
C:\ProgramData\IdleMonitor\ - State files (
.state) used by the monitor between sessions
CSV activity logs (IdleEvents-*.csv) are intentionally kept so activity data is not lost on reinstall or for records. The folder itself is only removed if it is empty after cleanup.
No CSV files appearing after logon The monitor only logs when a state change occurs. If the user has been consistently active or idle since logon, no entry is written yet. Wait for the first Active → Idle or Idle → Active transition (typically after 5 minutes of inactivity).
Scheduled task not created
Check C:\ProgramData\IdleMonitor\Install.log for the full error. Common causes:
- Installer was not run as Administrator
- Script signing mismatch (re-sign the installer after any edits)
- Intune install context not set to System
AV flagging the DLL
Ensure the Defender exclusion for C:\ProgramData\IdleMonitor\ is in place before the app deploys. The exclusion policy should be assigned to the same device group and set to deploy first.
Install.log shows "Access to path is denied" for DLL
This occurred in earlier versions when the DLL was bundled in the package. The current installer compiles the DLL directly on the endpoint - if you see this error, confirm you are using the latest version of Install-IdleMonitorTask.ps1.
IdleReportGenerator.html is a standalone offline tool that converts IdleEvents CSV files into a formatted HTML activity report. It runs entirely in the browser - no data leaves the machine.
- A per-day timeline showing active (blue) and idle (yellow) periods between 7am and 6pm
- Session start and end times for each day
- Daily totals for active time, idle time, and longest single idle period
- Colour-coded idle durations: green (≤30 min), amber (31–59 min), red (≥60 min)
- Extended absences (idle periods over 2 hours outside business hours) are excluded from daily totals and noted separately
- Public holidays and no-work days can be annotated on the report
-
Open
IdleReportGenerator.htmlin any modern browser (Chrome, Edge, Firefox) -
Collect the CSV files from the target machine at
C:\ProgramData\IdleMonitor\- files are namedIdleEvents-<username>-<yyyy-mm-dd>.csv -
Drag and drop the CSV files onto the drop zone, or click to browse and select them. You can load multiple files at once to cover multiple days in a single report.
-
Optionally fill in the following fields:
- User display name - overrides the auto-detected username in the report header
- Device name - overrides the auto-detected computer name
- Public holidays - enter dates to annotate on the report in the format
dd/mm/yyyy=Label, separated by commas. Example:25/04/2026=ANZAC Day, 26/04/2026
-
Click Generate & download report
-
The report downloads automatically as
IdleReport-<username>.htmland opens in the browser. Share this file directly - it is fully self-contained and requires no internet connection to view.
Each day displays as a card with a to-scale activity timeline. Click any day card to expand the full idle event log for that day, showing each idle period with its start time and duration. Hover over any segment in the timeline to see exact start and end times.
The summary table at the bottom of the generator page gives a quick overview of all loaded days before downloading.
Send-IdleReport.ps1 runs daily as a scheduled task, automatically generates the HTML activity report from the previous day's CSV, and emails it via Microsoft Graph - no manual access to the machine required.
- A Microsoft Entra app registration with
Mail.Sendapplication permission (admin consent granted) - A shared mailbox in your M365 tenant to send from
- The script deployed to
C:\ProgramData\IdleMonitor\Send-IdleReport.ps1on each monitored machine
- Go to Entra admin center → App registrations → New registration
- Name it (e.g.
IdleMonitor Reports), leave redirect URI blank, click Register - Note the Application (client) ID and Directory (tenant) ID from the Overview page
- Go to Certificates & secrets → New client secret, set an expiry, and copy the value immediately
- Go to API permissions → Add a permission → Microsoft Graph → Application permissions
- Add
Mail.Send, then click Grant admin consent
Edit the configuration block at the top of Send-IdleReport.ps1:
$TenantId = 'YOUR_TENANT_ID'
$ClientId = 'YOUR_CLIENT_ID'
$ClientSecret = 'YOUR_CLIENT_SECRET'
$SendFrom = 'idlereports@yourdomain.com' # Shared mailbox in your tenant
$SendTo = 'helpdesk@yourdomain.com' # Where reports are delivered
$ReportFolder = 'C:\ProgramData\IdleMonitor'
$ProcessDays = 1 # 1 = yesterday's dataSecurity note: Do not commit the script with real credentials to a public repository. Store the configured version locally or in a private location.
The IdleMonitorReport scheduled task is registered automatically by Install-IdleMonitorTask.ps1 - no manual task creation is needed. It is configured to run daily at 7am as SYSTEM, with -StartWhenAvailable so it fires as soon as the machine comes online if it was offline at 7am.
Each morning the script:
- Finds the previous day's CSV at
C:\ProgramData\IdleMonitor\IdleEvents-<username>-<date>.csv - Processes the activity data and generates a self-contained HTML report
- Attaches the report and sends it to
$SendTovia Microsoft Graph - If multiple users share the machine, one email is sent per user CSV
To test manually before the scheduled task runs:
Set-ExecutionPolicy Bypass -Scope Process -Force
& "C:\ProgramData\IdleMonitor\Send-IdleReport.ps1"To test with today's data (rather than waiting for tomorrow), temporarily set $ProcessDays = 0 in the script.
No CSV found - nothing to send
The script only runs if a CSV exists for the target date. Confirm the monitor has been running and a state change has occurred (Active → Idle or Idle → Active). Check for the file at C:\ProgramData\IdleMonitor\.
Authentication error from Graph
Verify the Tenant ID, Client ID, and Client Secret are correct. Confirm Mail.Send has admin consent granted in Entra. Client secrets expire - check the expiry date in Entra and rotate if needed.
Email not received
Confirm $SendFrom is a real mailbox that exists in the tenant. Shared mailboxes work; distribution lists do not. Check the recipient's junk/spam folder.