diff --git a/cmd/stepsecurity-dev-machine-guard/main.go b/cmd/stepsecurity-dev-machine-guard/main.go
index 4782e69..7227023 100644
--- a/cmd/stepsecurity-dev-machine-guard/main.go
+++ b/cmd/stepsecurity-dev-machine-guard/main.go
@@ -305,6 +305,17 @@ func main() {
 			return
 		}
 
+		// On macOS, launchd.Install already loaded the plist, and RunAtLoad=true
+		// runs the initial scan immediately under the user's GUI session. Don't
+		// also scan inline here — that would double-scan at install (two TCC
+		// rounds + two uploads), with the second run blocked on the singleton
+		// lock. Mirrors the Windows-SYSTEM path above; the launchd-triggered
+		// scan's output lands in agent.log.
+		if runtime.GOOS == "darwin" {
+			runHookStateReconcile(exec, log)
+			return
+		}
+
 		log.Progress("Sending initial telemetry...")
 		fmt.Println()
 		armExecutionWatchdog(telemetry.ExecutionDeadline(config.MaxExecutionDuration), log)
diff --git a/internal/config/config.go b/internal/config/config.go
index ee88714..1e24ff8 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -219,6 +219,10 @@ func RunConfigure() error {
 	existing.APIEndpoint = promptValue(reader, "API Endpoint", existing.APIEndpoint)
 	existing.APIKey = promptSecret(reader, "API Key", existing.APIKey)
 	existing.ScanFrequencyHours = promptValue(reader, "Scan Frequency (hours)", existing.ScanFrequencyHours)
+	// Whole-process execution watchdog. A Go duration string ("2h", "30m"),
+	// "off"/"0" to disable, or blank for the built-in 4h default. See
+	// telemetry.ExecutionDeadline.
+	existing.MaxExecutionDuration = promptValue(reader, "Max Execution Duration (e.g. 2h, 30m; 'off' to disable; blank = default 4h)", existing.MaxExecutionDuration)
 
 	// Search dirs
 	currentDirs := ""
@@ -302,6 +306,23 @@ func RunConfigure() error {
 		existing.EnablePythonScan = nil
 	}
 
+	// Include macOS TCC-protected dirs (Documents, Downloads, ~/Library/Mail,
+	// …). Default is to skip them so the agent never triggers permission
+	// prompts; opt in only after granting Full Disk Access (PPPC profile or
+	// System Settings). See docs/macos-tcc-permissions.md. Stored only when
+	// enabled — anything but "true" clears it back to the default skip.
+	currentTCC := "false"
+	if existing.IncludeTCCProtected != nil && *existing.IncludeTCCProtected {
+		currentTCC = "true"
+	}
+	tccInput := promptValue(reader, "Scan macOS TCC-protected dirs — Documents, Downloads, … (true/false)", currentTCC)
+	if strings.EqualFold(strings.TrimSpace(tccInput), "true") {
+		v := true
+		existing.IncludeTCCProtected = &v
+	} else {
+		existing.IncludeTCCProtected = nil
+	}
+
 	// Color mode
 	currentColor := existing.ColorMode
 	if currentColor == "" {
@@ -485,10 +506,12 @@ func ShowConfigure() {
 	fmt.Printf("  %-24s %s\n", "API Endpoint:", displayValue(cfg.APIEndpoint))
 	fmt.Printf("  %-24s %s\n", "API Key:", maskSecret(cfg.APIKey))
 	fmt.Printf("  %-24s %s\n", "Scan Frequency:", displayFrequency(cfg.ScanFrequencyHours))
+	fmt.Printf("  %-24s %s\n", "Max Execution Duration:", displayMaxExecution(cfg.MaxExecutionDuration))
 	fmt.Printf("  %-24s %s\n", "Search Directories:", displayDirs(cfg.SearchDirs))
 	fmt.Printf("  %-24s %s\n", "Enable NPM Scan:", displayBoolScan(cfg.EnableNPMScan))
 	fmt.Printf("  %-24s %s\n", "Enable Brew Scan:", displayBoolScan(cfg.EnableBrewScan))
 	fmt.Printf("  %-24s %s\n", "Enable Python Scan:", displayBoolScan(cfg.EnablePythonScan))
+	fmt.Printf("  %-24s %s\n", "Scan TCC-Protected Dirs:", displayTCC(cfg.IncludeTCCProtected))
 	fmt.Printf("  %-24s %s\n", "Color Mode:", displayColorMode(cfg.ColorMode))
 	fmt.Printf("  %-24s %s\n", "Output Format:", displayOutputFormat(cfg.OutputFormat))
 	if cfg.OutputFormat == "html" {
@@ -575,6 +598,30 @@ func displayInstallDir(v string) string {
 	return v
 }
 
+// displayMaxExecution renders the execution-watchdog setting. Empty falls back
+// to the built-in 4h default; "0"/"off" disables the watchdog; any other value
+// is a Go duration string echoed as-is (validated at run time by
+// telemetry.ExecutionDeadline).
+func displayMaxExecution(v string) string {
+	switch v {
+	case "":
+		return "4h (default)"
+	case "0", "off":
+		return "off (watchdog disabled)"
+	default:
+		return v
+	}
+}
+
+// displayTCC renders the macOS TCC opt-in. nil/false both mean the default
+// (skip TCC-protected dirs to avoid permission prompts); true means scan them.
+func displayTCC(v *bool) string {
+	if v != nil && *v {
+		return "true (scanning TCC-protected dirs)"
+	}
+	return "false (default — TCC-protected dirs skipped)"
+}
+
 func isPlaceholder(v string) bool {
 	return strings.Contains(v, "{{")
 }
diff --git a/internal/launchd/launchd.go b/internal/launchd/launchd.go
index 36da136..64f8cf2 100644
--- a/internal/launchd/launchd.go
+++ b/internal/launchd/launchd.go
@@ -38,6 +38,22 @@ const (
 // detector) can check for an installed footprint without re-deriving the path.
 const DaemonPlistPath = daemonPlistPath
 
+// Label is the launchd job label for the agent. Exported so other packages
+// (e.g. schedinfo) can address the job without re-deriving the constant.
+const Label = label
+
+// DomainTarget returns the launchd domain and the domain/label service target
+// for the current privilege level: the system domain for a root LaunchDaemon,
+// gui/<uid> for a per-user LaunchAgent. Single source of truth for the domain
+// math reused by Install/Uninstall and the scheduler-info collector.
+func DomainTarget(exec executor.Executor) (domain, target string) {
+	domain = "system"
+	if !exec.IsRoot() {
+		domain = fmt.Sprintf("gui/%d", os.Getuid())
+	}
+	return domain, domain + "/" + label
+}
+
 // UserPlistPath returns the per-user launchd plist path installed when the
 // agent runs without root. Empty when the home directory cannot be resolved.
 func UserPlistPath() string {
@@ -52,7 +68,12 @@ func agentPlistPath() string {
 	return homeDir + "/Library/LaunchAgents/com.stepsecurity.agent.plist"
 }
 
-// Install configures launchd for periodic scanning. If already installed, upgrades.
+// Install configures launchd for periodic scanning and loads the job
+// (upgrading in place if already installed). With RunAtLoad=true, loading the
+// job triggers the run immediately — so this load IS the initial scan and the
+// install command deliberately does NOT scan inline on macOS (see main.go).
+// Doing both would double-scan at install: once inline, once at load, with the
+// second blocked on the singleton lock.
 func Install(exec executor.Executor, log *progress.Logger) error {
 	ctx := context.Background()
 
@@ -160,15 +181,14 @@ func Install(exec executor.Executor, log *progress.Logger) error {
 
 	log.Debug("launchd install: plist=%q log_dir=%q interval=%ds user_home=%q is_root=%v", plistPath, logDir, intervalSeconds, userHome, exec.IsRoot())
 
-	// Bootstrap plist into its launchd domain. Apple actively recommends
-	// `bootstrap`/`bootout` over the older `load`/`unload` verbs, which
-	// are on the path to deprecation. Root daemons live in the `system`
-	// domain; user LaunchAgents in `gui/<uid>`. Available since macOS
-	// 10.11, so every machine we target supports it.
-	domain := "system"
-	if !exec.IsRoot() {
-		domain = fmt.Sprintf("gui/%d", os.Getuid())
-	}
+	// Bootstrap the plist into its launchd domain. With RunAtLoad=true this
+	// runs the job immediately, so this load IS the initial scan — the install
+	// command does NOT scan inline on macOS (that would double-scan: once
+	// inline, once at load, the second blocked on the singleton lock). The scan
+	// runs under the user's GUI session and logs to agent.log. Apple recommends
+	// bootstrap/bootout over the deprecated load/unload verbs; root daemons live
+	// in the `system` domain, user LaunchAgents in `gui/<uid>` — see DomainTarget.
+	domain, _ := DomainTarget(exec)
 	_, stderr, exitCode, err := exec.Run(ctx, "launchctl", "bootstrap", domain, plistPath)
 	log.Debug("launchctl bootstrap %q %q: exit_code=%d err=%v stderr=%q", domain, plistPath, exitCode, err, stderr)
 	if err != nil {
@@ -181,8 +201,7 @@ func Install(exec executor.Executor, log *progress.Logger) error {
 	log.Progress("launchd configuration completed successfully")
 	log.Progress("  Plist: %s", plistPath)
 	log.Progress("  Logs: %s/agent.log", logDir)
-	log.Progress("Installation complete!")
-	log.Progress("The agent will now run automatically every %d hours", hours)
+	log.Progress("The agent will run now (via launchd) and then every %d hours, plus at login", hours)
 
 	return nil
 }
@@ -274,7 +293,7 @@ const plistTmpl = `<?xml version="1.0" encoding="UTF-8"?>
     <key>StartInterval</key>
     <integer>{{.IntervalSeconds}}</integer>
     <key>RunAtLoad</key>
-    <false/>{{if or .UserHome .StepSecurityHome}}
+    <true/>{{if or .UserHome .StepSecurityHome}}
     <key>EnvironmentVariables</key>
     <dict>{{if .UserHome}}
         <key>HOME</key>
diff --git a/internal/launchd/launchd_test.go b/internal/launchd/launchd_test.go
new file mode 100644
index 0000000..f57e7d1
--- /dev/null
+++ b/internal/launchd/launchd_test.go
@@ -0,0 +1,55 @@
+package launchd
+
+import (
+	"strings"
+	"testing"
+	"text/template"
+
+	"github.com/step-security/dev-machine-guard/internal/executor"
+)
+
+func TestPlistTemplate_RunAtLoadAndScheduled(t *testing.T) {
+	tmpl, err := template.New("plist").Parse(plistTmpl)
+	if err != nil {
+		t.Fatalf("parse template: %v", err)
+	}
+	var sb strings.Builder
+	if err := tmpl.Execute(&sb, plistTemplateData{
+		Label:           label,
+		BinaryPath:      "/usr/local/bin/stepsecurity-dev-machine-guard",
+		IntervalSeconds: 14400,
+		LogDir:          "/Users/dev/.stepsecurity",
+	}); err != nil {
+		t.Fatalf("execute template: %v", err)
+	}
+	out := sb.String()
+
+	// RunAtLoad must be true so login/boot is a (gated) catch-up trigger.
+	if !strings.Contains(out, "<key>RunAtLoad</key>\n    <true/>") {
+		t.Errorf("plist must set RunAtLoad=true:\n%s", out)
+	}
+	if strings.Contains(out, "<false/>") {
+		t.Errorf("plist must not contain RunAtLoad=false:\n%s", out)
+	}
+	if !strings.Contains(out, "<string>send-telemetry</string>") {
+		t.Errorf("plist must invoke send-telemetry:\n%s", out)
+	}
+}
+
+func TestDomainTarget(t *testing.T) {
+	root := executor.NewMock()
+	root.SetIsRoot(true)
+	if domain, target := DomainTarget(root); domain != "system" || target != "system/"+label {
+		t.Errorf("root DomainTarget = %q,%q; want system, system/%s", domain, target, label)
+	}
+
+	user := executor.NewMock()
+	user.SetIsRoot(false)
+	domain, target := DomainTarget(user)
+	if !strings.HasPrefix(domain, "gui/") {
+		t.Errorf("non-root domain = %q, want gui/<uid>", domain)
+	}
+	if target != domain+"/"+label {
+		t.Errorf("target = %q, want %q", target, domain+"/"+label)
+	}
+}
diff --git a/internal/schedinfo/info_darwin.go b/internal/schedinfo/info_darwin.go
new file mode 100644
index 0000000..84d8981
--- /dev/null
+++ b/internal/schedinfo/info_darwin.go
@@ -0,0 +1,104 @@
+//go:build darwin
+
+package schedinfo
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/step-security/dev-machine-guard/internal/executor"
+	"github.com/step-security/dev-machine-guard/internal/launchd"
+)
+
+func gather(ctx context.Context, exec executor.Executor) Info {
+	info := Info{
+		Platform:        "darwin",
+		Manager:         "launchd",
+		Label:           launchd.Label,
+		ConfiguredHours: configuredHours(),
+		Management:      ManagementUnknown,
+		LogMtime:        logMtime(),
+	}
+
+	// Resolve the plist for this run's privilege level (root LaunchDaemon vs
+	// per-user LaunchAgent), mirroring the install/uninstall paths.
+	plistPath := launchd.DaemonPlistPath
+	if !exec.IsRoot() {
+		plistPath = launchd.UserPlistPath()
+	}
+	info.UnitPath = plistPath
+	info.Scheduled = exec.FileExists(plistPath)
+
+	// Parse the plist directly — it's our own well-formed XML, so reading
+	// StartInterval/RunAtLoad/ProgramArguments from disk is more robust than
+	// scraping plutil and needs no subprocess.
+	if data, err := os.ReadFile(plistPath); err == nil {
+		if pl, perr := parsePlist(data); perr == nil {
+			if pl.StartInterval > 0 {
+				info.IntervalSeconds = pl.StartInterval
+			}
+			ral := pl.RunAtLoad
+			info.RunAtLoad = &ral
+			info.Management = managementFromCmd(strings.Join(pl.ProgramArguments, " "))
+		} else {
+			info.Warnings = append(info.Warnings, fmt.Sprintf("parse plist %s: %v", plistPath, perr))
+		}
+	} else if info.Scheduled {
+		info.Warnings = append(info.Warnings, fmt.Sprintf("read plist %s: %v", plistPath, err))
+	}
+
+	// Live runtime state via `launchctl print <domain>/<label>` — parsed for
+	// state / pid / last-exit-code. We deliberately do NOT dump its full output:
+	// it's ~100 lines of internal launchd detail (endpoints, sandbox, inherited
+	// env) that's noise for troubleshooting. The concise plist config below is
+	// the illustrative dump instead.
+	domain, target := launchd.DomainTarget(exec)
+	stdout, stderr, code, err := exec.RunWithTimeout(ctx, queryTimeout, "launchctl", "print", target)
+	switch {
+	case err != nil:
+		info.Warnings = append(info.Warnings, fmt.Sprintf("launchctl print %s: %v", target, err))
+	case code != 0:
+		// Expected on no-GUI / SSH sessions ("Could not find service ...",
+		// "Bootstrap failed: 5") — see docs/launchd-troubleshooting.md.
+		info.Warnings = append(info.Warnings, fmt.Sprintf("launchctl print %s exited %d: %s", target, code, firstLine(stderr)))
+	default:
+		info.Loaded = true
+		applyLaunchctlPrint(&info, stdout)
+	}
+
+	// Fallback: `launchctl list <label>` for last exit + pid when print failed.
+	if !info.Loaded {
+		if out, _, c, e := exec.RunWithTimeout(ctx, queryTimeout, "launchctl", "list", launchd.Label); e == nil && c == 0 {
+			info.Loaded = strings.Contains(out, "LastExitStatus") || strings.Contains(out, launchd.Label)
+			applyLaunchctlList(&info, out)
+		}
+	}
+	_ = domain // domain currently informational; target carries it
+
+	// Illustrative config dump: `plutil -p` of the plist — the focused, readable
+	// schedule config (Label, ProgramArguments, StartInterval, RunAtLoad, env),
+	// the macOS analog of `schtasks /query /v`, far less noisy than launchctl print.
+	if out, _, c, e := exec.RunWithTimeout(ctx, queryTimeout, "plutil", "-p", plistPath); e == nil && c == 0 {
+		info.Raw = strings.TrimSpace(out)
+	}
+
+	// launchd exposes no "next fire" for a StartInterval job, so estimate it from
+	// the last run (agent.log mtime) + the interval. Labeled an estimate so it's
+	// not mistaken for a value launchd reported.
+	if !info.LogMtime.IsZero() && info.IntervalSeconds > 0 {
+		next := info.LogMtime.Add(time.Duration(info.IntervalSeconds) * time.Second)
+		info.NextRunTime = next.Format(time.RFC3339) + " (estimated: last run + interval)"
+	}
+
+	// Drift note: plist interval vs configured hours is a real misconfig signal.
+	if info.IntervalSeconds > 0 && info.ConfiguredHours > 0 && info.IntervalSeconds != info.ConfiguredHours*3600 {
+		info.Warnings = append(info.Warnings, fmt.Sprintf(
+			"plist StartInterval=%ds disagrees with config scan_frequency_hours=%d (%ds)",
+			info.IntervalSeconds, info.ConfiguredHours, info.ConfiguredHours*3600))
+	}
+
+	return info
+}
diff --git a/internal/schedinfo/info_linux.go b/internal/schedinfo/info_linux.go
new file mode 100644
index 0000000..6b43324
--- /dev/null
+++ b/internal/schedinfo/info_linux.go
@@ -0,0 +1,50 @@
+//go:build linux
+
+package schedinfo
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/step-security/dev-machine-guard/internal/executor"
+	"github.com/step-security/dev-machine-guard/internal/systemd"
+)
+
+// gather is best-effort on Linux: it confirms the systemd user timer footprint
+// and captures `systemctl --user list-timers` output (logged at Debug) for the
+// NEXT/LAST columns. Detailed per-field parsing is intentionally skipped — the
+// table is locale/width-dependent; the agent.log mtime serves as the last-run
+// proxy. macOS and Windows are the richly-parsed targets.
+func gather(ctx context.Context, exec executor.Executor) Info {
+	info := Info{
+		Platform:        "linux",
+		Manager:         "systemd",
+		Label:           "stepsecurity-dev-machine-guard.timer",
+		ConfiguredHours: configuredHours(),
+		Management:      ManagementUnknown,
+		LogMtime:        logMtime(),
+	}
+	if info.ConfiguredHours > 0 {
+		info.IntervalSeconds = info.ConfiguredHours * 3600
+	}
+
+	unitPath := systemd.TimerUnitPath()
+	info.UnitPath = unitPath
+	info.Scheduled = exec.FileExists(unitPath)
+
+	out, stderr, code, err := exec.RunWithTimeout(ctx, queryTimeout,
+		"systemctl", "--user", "list-timers", "--all", "--no-pager")
+	switch {
+	case err != nil:
+		info.Warnings = append(info.Warnings, fmt.Sprintf("systemctl list-timers: %v", err))
+	case code != 0:
+		info.Warnings = append(info.Warnings, fmt.Sprintf("systemctl list-timers exited %d: %s", code, firstLine(stderr)))
+	default:
+		info.Raw = out
+		if strings.Contains(out, "stepsecurity-dev-machine-guard") {
+			info.Loaded = true
+		}
+	}
+	return info
+}
diff --git a/internal/schedinfo/info_other.go b/internal/schedinfo/info_other.go
new file mode 100644
index 0000000..7f4bd65
--- /dev/null
+++ b/internal/schedinfo/info_other.go
@@ -0,0 +1,15 @@
+//go:build !darwin && !windows && !linux
+
+package schedinfo
+
+import (
+	"context"
+	"runtime"
+
+	"github.com/step-security/dev-machine-guard/internal/executor"
+)
+
+// gather is a no-op on platforms without a supported scheduler integration.
+func gather(_ context.Context, _ executor.Executor) Info {
+	return Info{Platform: runtime.GOOS, Management: ManagementUnknown}
+}
diff --git a/internal/schedinfo/info_windows.go b/internal/schedinfo/info_windows.go
new file mode 100644
index 0000000..c5ba283
--- /dev/null
+++ b/internal/schedinfo/info_windows.go
@@ -0,0 +1,43 @@
+//go:build windows
+
+package schedinfo
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/step-security/dev-machine-guard/internal/executor"
+	"github.com/step-security/dev-machine-guard/internal/schtasks"
+)
+
+func gather(ctx context.Context, exec executor.Executor) Info {
+	info := Info{
+		Platform:        "windows",
+		Manager:         "schtasks",
+		Label:           schtasks.TaskName,
+		ConfiguredHours: configuredHours(),
+		Management:      ManagementUnknown,
+		LogMtime:        logMtime(),
+	}
+	// schtasks /v doesn't reliably surface the repetition interval for
+	// /sc HOURLY, so derive it from config (the value baked at install time).
+	if info.ConfiguredHours > 0 {
+		info.IntervalSeconds = info.ConfiguredHours * 3600
+	}
+
+	info.Scheduled = schtasks.IsTaskRegistered()
+
+	stdout, stderr, code, err := exec.RunWithTimeout(ctx, queryTimeout,
+		"schtasks", "/query", "/tn", schtasks.TaskName, "/v", "/fo", "LIST")
+	switch {
+	case err != nil:
+		info.Warnings = append(info.Warnings, fmt.Sprintf("schtasks query: %v", err))
+	case code != 0:
+		info.Warnings = append(info.Warnings, fmt.Sprintf("schtasks query exited %d: %s", code, firstLine(stderr)))
+	default:
+		info.Loaded = true
+		info.Raw = stdout
+		applySchtasksList(&info, stdout)
+	}
+	return info
+}
diff --git a/internal/schedinfo/schedinfo.go b/internal/schedinfo/schedinfo.go
new file mode 100644
index 0000000..79f977e
--- /dev/null
+++ b/internal/schedinfo/schedinfo.go
@@ -0,0 +1,403 @@
+// Package schedinfo gathers and logs the agent's own scheduler state —
+// launchd on macOS, Task Scheduler on Windows, systemd on Linux — for
+// troubleshooting. It answers "did the agent run, when, how often, and how
+// is it scheduled?" from inside agent.log, so an operator no longer has to
+// reproduce `launchctl print` / `schtasks /query /v` by hand (the manual
+// recipes live in docs/launchd-troubleshooting.md).
+//
+// Every gather path is best-effort: short per-command timeouts, failures
+// recorded in Info.Warnings, and Gather never returns an error — a flaky
+// launchctl/schtasks/systemctl call can't fail a scan. The pure parse
+// helpers live in this (untagged) file so they compile and unit-test on any
+// OS; the platform files only orchestrate the subprocess calls.
+package schedinfo
+
+import (
+	"bytes"
+	"context"
+	"encoding/xml"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/step-security/dev-machine-guard/internal/config"
+	"github.com/step-security/dev-machine-guard/internal/executor"
+	"github.com/step-security/dev-machine-guard/internal/paths"
+	"github.com/step-security/dev-machine-guard/internal/progress"
+)
+
+// queryTimeout caps each scheduler-introspection subprocess. Kept short so
+// the whole phase stays well inside its budget even if several queries hang
+// (launchctl over a broken session, schtasks during a Schedule-service
+// hiccup).
+const queryTimeout = 3 * time.Second
+
+// Management classifies who owns the scheduler entry, inferred from the
+// program the plist/task invokes.
+type Management string
+
+const (
+	ManagementUnknown Management = "unknown"
+	ManagementLoader  Management = "loader" // runs stepsecurity-loader.{sh,ps1}
+	ManagementBinary  Management = "binary" // runs the agent binary directly
+)
+
+// Info is a best-effort snapshot of the agent's scheduler state. Empty
+// strings / zero ints mean "unknown"; pointer fields are nil when the value
+// could not be determined (distinct from a real zero).
+type Info struct {
+	Platform        string     // runtime.GOOS
+	Manager         string     // "launchd" | "schtasks" | "systemd" | ""
+	Scheduled       bool       // a scheduler footprint exists on disk
+	Loaded          bool       // the scheduler currently knows the job
+	Management      Management // loader vs binary vs unknown
+	Label           string     // launchd label / windows task name / systemd unit
+	UnitPath        string     // plist / unit path ("" on windows)
+	State           string     // launchd "state" / schtasks "Status"
+	IntervalSeconds int        // schedule interval (0 = unknown)
+	ConfiguredHours int        // config.ScanFrequencyHours (cross-check)
+	RunAtLoad       *bool      // macOS only; nil elsewhere
+	LastRunTime     string     // human-readable last-run
+	LastExitCode    *int       // launchd "last exit code" / windows "Last Result"
+	NextRunTime     string     // windows "Next Run Time"; "" where unavailable
+	MissedRuns      *int       // windows "Number of Missed Runs"; nil elsewhere
+	PID             *int       // running PID when in-flight
+	LogMtime        time.Time  // mtime of <Home>/agent.log as a last-run proxy
+	Raw             string     // raw command output, logged at Debug
+	Warnings        []string   // per-query failures / drift notes, logged at Warn
+}
+
+// Gather collects scheduler state for the current platform. Best-effort;
+// never returns an error.
+func Gather(ctx context.Context, exec executor.Executor) Info {
+	return gather(ctx, exec)
+}
+
+// Log emits info's headline fields at Progress, the raw command dump at
+// Debug, and any warnings at Warn. Safe to call with a zero Info.
+func Log(info Info, log *progress.Logger) {
+	manager := info.Manager
+	if manager == "" {
+		manager = "none"
+	}
+	log.Progress("  Manager: %s (footprint=%v loaded=%v management=%s)", manager, info.Scheduled, info.Loaded, info.Management)
+
+	interval := "unknown"
+	if info.IntervalSeconds > 0 {
+		interval = fmt.Sprintf("%ds (~%dh)", info.IntervalSeconds, info.IntervalSeconds/3600)
+	}
+	log.Progress("  Interval: %s (config=%dh)", interval, info.ConfiguredHours)
+
+	switch {
+	case info.LastRunTime != "":
+		log.Progress("  Last run: %s", info.LastRunTime)
+	case !info.LogMtime.IsZero():
+		log.Progress("  Last run (agent.log mtime): %s", info.LogMtime.Format(time.RFC3339))
+	}
+	if info.NextRunTime != "" {
+		log.Progress("  Next run: %s", info.NextRunTime)
+	}
+	if info.LastExitCode != nil {
+		log.Progress("  Last exit code: %d", *info.LastExitCode)
+	}
+	if info.RunAtLoad != nil {
+		log.Progress("  RunAtLoad: %v", *info.RunAtLoad)
+	}
+	if info.MissedRuns != nil {
+		log.Progress("  Missed runs: %d", *info.MissedRuns)
+	}
+	if info.State != "" {
+		log.Progress("  State: %s", info.State)
+	}
+	if info.PID != nil {
+		log.Progress("  PID: %d", *info.PID)
+	}
+	if info.UnitPath != "" {
+		log.Progress("  Unit: %s", info.UnitPath)
+	}
+
+	// Full scheduler detail, line-prefixed so it stays readable in agent.log —
+	// the macOS/Linux analog of `schtasks /query /v /fo LIST`. Capped so a
+	// verbose `launchctl print` can't flood the log; the parsed summary above
+	// always carries the headline fields, and --verbose dumps the full text.
+	if info.Raw != "" {
+		log.Progress("  ----- scheduler detail (%s) -----", manager)
+		lines := strings.Split(strings.TrimRight(info.Raw, "\n"), "\n")
+		const maxLines = 80
+		for i, line := range lines {
+			if i >= maxLines {
+				log.Progress("  | ... (%d more lines; run with --verbose for the full text)", len(lines)-maxLines)
+				break
+			}
+			log.Progress("  | %s", line)
+		}
+		log.Progress("  ---------------------------------")
+		log.Debug("scheduler raw query output:\n%s", info.Raw)
+	}
+	for _, w := range info.Warnings {
+		log.Warn("scheduler: %s", w)
+	}
+}
+
+// configuredHours returns the configured scan frequency in hours, defaulting
+// to 4 when the value is unset, the build placeholder, or non-positive —
+// mirroring the installers' fallback.
+func configuredHours() int {
+	h, _ := strconv.Atoi(config.ScanFrequencyHours)
+	if h <= 0 {
+		return 4
+	}
+	return h
+}
+
+// logMtime returns the mtime of <Home>/agent.log as a last-run proxy, or the
+// zero time when it can't be resolved.
+func logMtime() time.Time {
+	home := paths.Home()
+	if home == "" {
+		return time.Time{}
+	}
+	fi, err := os.Stat(filepath.Join(home, "agent.log"))
+	if err != nil {
+		return time.Time{}
+	}
+	return fi.ModTime()
+}
+
+// firstLine returns the first non-empty line of s, trimmed — used to keep
+// multi-line stderr out of a single Warn line.
+func firstLine(s string) string {
+	s = strings.TrimSpace(s)
+	if before, _, found := strings.Cut(s, "\n"); found {
+		return strings.TrimSpace(before)
+	}
+	return s
+}
+
+// managementFromCmd infers loader-vs-binary management from a program/command
+// string (launchd ProgramArguments joined, or a schtasks "Task To Run" line).
+func managementFromCmd(cmd string) Management {
+	lc := strings.ToLower(cmd)
+	switch {
+	case strings.Contains(lc, "stepsecurity-loader"):
+		return ManagementLoader
+	case strings.Contains(lc, "stepsecurity-dev-machine-guard"), strings.Contains(lc, "send-telemetry"):
+		return ManagementBinary
+	default:
+		return ManagementUnknown
+	}
+}
+
+// --- launchd plist parsing (darwin) --------------------------------------
+
+type parsedPlist struct {
+	StartInterval    int
+	RunAtLoad        bool
+	ProgramArguments []string
+}
+
+// parsePlist extracts StartInterval, RunAtLoad, and ProgramArguments from our
+// own well-formed launchd plist via a token stream. Reading the file beats
+// scraping `plutil` output and avoids a subprocess. Keys we don't care about
+// (and nested dicts like EnvironmentVariables) are ignored.
+func parsePlist(data []byte) (parsedPlist, error) {
+	var pl parsedPlist
+	dec := xml.NewDecoder(bytes.NewReader(data))
+	curKey := ""
+	for {
+		tok, err := dec.Token()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return pl, err
+		}
+		se, ok := tok.(xml.StartElement)
+		if !ok {
+			continue
+		}
+		switch se.Name.Local {
+		case "key":
+			var k string
+			if err := dec.DecodeElement(&k, &se); err != nil {
+				return pl, err
+			}
+			curKey = strings.TrimSpace(k)
+			continue // preserve curKey for the value element that follows
+		case "true":
+			if curKey == "RunAtLoad" {
+				pl.RunAtLoad = true
+			}
+		case "false":
+			if curKey == "RunAtLoad" {
+				pl.RunAtLoad = false
+			}
+		case "integer":
+			var v string
+			if err := dec.DecodeElement(&v, &se); err != nil {
+				return pl, err
+			}
+			if curKey == "StartInterval" {
+				pl.StartInterval, _ = strconv.Atoi(strings.TrimSpace(v))
+			}
+		case "array":
+			if curKey == "ProgramArguments" {
+				args, err := decodeStringArray(dec, se)
+				if err != nil {
+					return pl, err
+				}
+				pl.ProgramArguments = args
+			}
+		}
+		curKey = "" // any non-key value element ends the current key
+	}
+	return pl, nil
+}
+
+// decodeStringArray reads <string> children until the matching </array>.
+func decodeStringArray(dec *xml.Decoder, start xml.StartElement) ([]string, error) {
+	var out []string
+	for {
+		tok, err := dec.Token()
+		if err != nil {
+			return out, err
+		}
+		switch t := tok.(type) {
+		case xml.StartElement:
+			if t.Name.Local == "string" {
+				var s string
+				if err := dec.DecodeElement(&s, &t); err != nil {
+					return out, err
+				}
+				out = append(out, s)
+			}
+		case xml.EndElement:
+			if t.Name.Local == start.Name.Local {
+				return out, nil
+			}
+		}
+	}
+}
+
+// --- launchctl output parsing (darwin) -----------------------------------
+
+// applyLaunchctlPrint pulls state/pid/last-exit-code from `launchctl print`
+// output (lines of the form `key = value`).
+func applyLaunchctlPrint(info *Info, out string) {
+	if v, ok := scanField(out, "state"); ok {
+		info.State = v
+	}
+	if v, ok := scanField(out, "pid"); ok {
+		if n, err := strconv.Atoi(v); err == nil {
+			info.PID = &n
+		}
+	}
+	if v, ok := scanField(out, "last exit code"); ok {
+		if n, err := strconv.Atoi(v); err == nil {
+			info.LastExitCode = &n
+		}
+	}
+}
+
+// applyLaunchctlList pulls LastExitStatus/PID from `launchctl list <label>`
+// output (a plist-style dict), only filling fields print didn't already set.
+func applyLaunchctlList(info *Info, out string) {
+	if v, ok := scanQuotedField(out, "LastExitStatus"); ok && info.LastExitCode == nil {
+		if n, err := strconv.Atoi(v); err == nil {
+			info.LastExitCode = &n
+		}
+	}
+	if v, ok := scanQuotedField(out, "PID"); ok && info.PID == nil {
+		if n, err := strconv.Atoi(v); err == nil {
+			info.PID = &n
+		}
+	}
+}
+
+// scanField finds a `key = value` line (key bounded by `=`), tolerant of
+// leading indentation.
+func scanField(out, key string) (string, bool) {
+	for line := range strings.SplitSeq(out, "\n") {
+		line = strings.TrimSpace(line)
+		if !strings.HasPrefix(line, key) {
+			continue
+		}
+		rest := strings.TrimSpace(line[len(key):])
+		if !strings.HasPrefix(rest, "=") {
+			continue
+		}
+		return strings.TrimSpace(strings.TrimPrefix(rest, "=")), true
+	}
+	return "", false
+}
+
+// scanQuotedField finds a `"Key" = value;` line from a launchctl-list dict.
+func scanQuotedField(out, key string) (string, bool) {
+	needle := `"` + key + `"`
+	for line := range strings.SplitSeq(out, "\n") {
+		line = strings.TrimSpace(line)
+		if !strings.HasPrefix(line, needle) {
+			continue
+		}
+		rest := strings.TrimSpace(strings.TrimPrefix(line, needle))
+		if !strings.HasPrefix(rest, "=") {
+			continue
+		}
+		val := strings.TrimSpace(strings.TrimPrefix(rest, "="))
+		val = strings.TrimSpace(strings.TrimSuffix(val, ";"))
+		return strings.Trim(val, `"`), true
+	}
+	return "", false
+}
+
+// --- schtasks output parsing (windows) -----------------------------------
+
+// applySchtasksList pulls the run/result/schedule fields from
+// `schtasks /query /v /fo LIST` output. Field labels are English and matched
+// case-insensitively; a non-English Windows simply yields fewer fields.
+func applySchtasksList(info *Info, out string) {
+	if v, ok := scanColonField(out, "Last Run Time"); ok {
+		info.LastRunTime = v
+	}
+	if v, ok := scanColonField(out, "Next Run Time"); ok {
+		info.NextRunTime = v
+	}
+	if v, ok := scanColonField(out, "Status"); ok {
+		info.State = v
+	}
+	if v, ok := scanColonField(out, "Last Result"); ok {
+		if n, err := strconv.Atoi(strings.TrimSpace(v)); err == nil {
+			info.LastExitCode = &n
+		}
+	}
+	if v, ok := scanColonField(out, "Number of Missed Runs"); ok {
+		if n, err := strconv.Atoi(strings.TrimSpace(v)); err == nil {
+			info.MissedRuns = &n
+		}
+	}
+	if v, ok := scanColonField(out, "Task To Run"); ok {
+		info.Management = managementFromCmd(v)
+	}
+}
+
+// scanColonField finds a `Label: value` line, matching the label
+// case-insensitively and exactly (so "Last Run Time" doesn't match
+// "Run Time").
+func scanColonField(out, label string) (string, bool) {
+	ll := strings.ToLower(label)
+	for line := range strings.SplitSeq(out, "\n") {
+		name, val, found := strings.Cut(strings.TrimSpace(line), ":")
+		if !found {
+			continue
+		}
+		if strings.ToLower(strings.TrimSpace(name)) != ll {
+			continue
+		}
+		return strings.TrimSpace(val), true
+	}
+	return "", false
+}
diff --git a/internal/schedinfo/schedinfo_test.go b/internal/schedinfo/schedinfo_test.go
new file mode 100644
index 0000000..07fc8ea
--- /dev/null
+++ b/internal/schedinfo/schedinfo_test.go
@@ -0,0 +1,183 @@
+package schedinfo
+
+import (
+	"testing"
+
+	"github.com/step-security/dev-machine-guard/internal/progress"
+)
+
+func TestParsePlist(t *testing.T) {
+	plist := `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>Label</key>
+    <string>com.stepsecurity.agent</string>
+    <key>ProgramArguments</key>
+    <array>
+        <string>/usr/local/bin/stepsecurity-dev-machine-guard</string>
+        <string>send-telemetry</string>
+        <string>--scheduled</string>
+    </array>
+    <key>StartInterval</key>
+    <integer>14400</integer>
+    <key>RunAtLoad</key>
+    <true/>
+    <key>EnvironmentVariables</key>
+    <dict>
+        <key>HOME</key>
+        <string>/Users/dev</string>
+    </dict>
+</dict>
+</plist>`
+	pl, err := parsePlist([]byte(plist))
+	if err != nil {
+		t.Fatalf("parsePlist: %v", err)
+	}
+	if pl.StartInterval != 14400 {
+		t.Errorf("StartInterval = %d, want 14400", pl.StartInterval)
+	}
+	if !pl.RunAtLoad {
+		t.Error("RunAtLoad = false, want true")
+	}
+	if len(pl.ProgramArguments) != 3 ||
+		pl.ProgramArguments[1] != "send-telemetry" ||
+		pl.ProgramArguments[2] != "--scheduled" {
+		t.Errorf("ProgramArguments = %v", pl.ProgramArguments)
+	}
+}
+
+func TestParsePlist_RunAtLoadFalse(t *testing.T) {
+	plist := `<plist version="1.0"><dict>
+	<key>RunAtLoad</key><false/>
+	<key>StartInterval</key><integer>3600</integer>
+	</dict></plist>`
+	pl, err := parsePlist([]byte(plist))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if pl.RunAtLoad {
+		t.Error("RunAtLoad should be false")
+	}
+	if pl.StartInterval != 3600 {
+		t.Errorf("StartInterval = %d, want 3600", pl.StartInterval)
+	}
+}
+
+func TestParsePlist_Garbage(t *testing.T) {
+	// Malformed XML returns an error (the caller records it as a warning and
+	// carries on) — it must not panic.
+	if _, err := parsePlist([]byte("<plist><dict><key>oops")); err == nil {
+		t.Error("expected an error for truncated plist")
+	}
+}
+
+func TestApplyLaunchctlPrint(t *testing.T) {
+	out := `com.stepsecurity.agent = {
+	active count = 0
+	state = waiting
+	pid = 4321
+	program = /usr/local/bin/stepsecurity-dev-machine-guard
+	last exit code = 2
+}`
+	var info Info
+	applyLaunchctlPrint(&info, out)
+	if info.State != "waiting" {
+		t.Errorf("State = %q, want waiting", info.State)
+	}
+	if info.PID == nil || *info.PID != 4321 {
+		t.Errorf("PID = %v, want 4321", info.PID)
+	}
+	if info.LastExitCode == nil || *info.LastExitCode != 2 {
+		t.Errorf("LastExitCode = %v, want 2", info.LastExitCode)
+	}
+}
+
+func TestApplyLaunchctlList(t *testing.T) {
+	out := `{
+	"LastExitStatus" = 0;
+	"PID" = 999;
+	"Label" = "com.stepsecurity.agent";
+};`
+	var info Info
+	applyLaunchctlList(&info, out)
+	if info.LastExitCode == nil || *info.LastExitCode != 0 {
+		t.Errorf("LastExitCode = %v, want 0", info.LastExitCode)
+	}
+	if info.PID == nil || *info.PID != 999 {
+		t.Errorf("PID = %v, want 999", info.PID)
+	}
+}
+
+func TestApplySchtasksList(t *testing.T) {
+	out := `Folder: \
+HostName:                             DESKTOP
+TaskName:                             \StepSecurity Dev Machine Guard
+Next Run Time:                        6/22/2026 4:00:00 PM
+Status:                               Ready
+Last Run Time:                        6/22/2026 12:00:00 PM
+Last Result:                          0
+Task To Run:                          "C:\Program Files\StepSecurity\stepsecurity-dev-machine-guard-task.exe" send-telemetry --scheduled
+Number of Missed Runs:                3
+Schedule Type:                        Hourly`
+	var info Info
+	applySchtasksList(&info, out)
+	if info.LastRunTime != "6/22/2026 12:00:00 PM" {
+		t.Errorf("LastRunTime = %q", info.LastRunTime)
+	}
+	if info.NextRunTime != "6/22/2026 4:00:00 PM" {
+		t.Errorf("NextRunTime = %q", info.NextRunTime)
+	}
+	if info.State != "Ready" {
+		t.Errorf("State = %q, want Ready", info.State)
+	}
+	if info.LastExitCode == nil || *info.LastExitCode != 0 {
+		t.Errorf("LastExitCode = %v, want 0", info.LastExitCode)
+	}
+	if info.MissedRuns == nil || *info.MissedRuns != 3 {
+		t.Errorf("MissedRuns = %v, want 3", info.MissedRuns)
+	}
+	if info.Management != ManagementBinary {
+		t.Errorf("Management = %v, want binary", info.Management)
+	}
+}
+
+func TestManagementFromCmd(t *testing.T) {
+	cases := []struct {
+		cmd  string
+		want Management
+	}{
+		{"/bin/bash /Users/x/.stepsecurity/bin/stepsecurity-loader.sh send-telemetry --scheduled", ManagementLoader},
+		{`"C:\Program Files\StepSecurity\stepsecurity-dev-machine-guard-task.exe" send-telemetry --scheduled`, ManagementBinary},
+		{"/usr/local/bin/stepsecurity-dev-machine-guard send-telemetry", ManagementBinary},
+		{"/opt/something/else --flag", ManagementUnknown},
+	}
+	for _, c := range cases {
+		if got := managementFromCmd(c.cmd); got != c.want {
+			t.Errorf("managementFromCmd(%q) = %v, want %v", c.cmd, got, c.want)
+		}
+	}
+}
+
+func TestScanColonField_ExactMatch(t *testing.T) {
+	out := "Run Time: nope\nLast Run Time: yes\n"
+	// "Last Run Time" must not be satisfied by the substring "Run Time".
+	if v, ok := scanColonField(out, "Last Run Time"); !ok || v != "yes" {
+		t.Errorf(`scanColonField("Last Run Time") = %q,%v; want "yes",true`, v, ok)
+	}
+}
+
+// Log must tolerate both a fully-populated and a zero-value Info without panicking.
+func TestLog_NoPanic(t *testing.T) {
+	log := progress.NewLogger(progress.LevelDebug)
+	pid, code, missed := 5, 0, 1
+	ral := true
+	Log(Info{
+		Platform: "darwin", Manager: "launchd", Scheduled: true, Loaded: true,
+		Management: ManagementBinary, IntervalSeconds: 14400, ConfiguredHours: 4,
+		RunAtLoad: &ral, LastRunTime: "now", NextRunTime: "later",
+		LastExitCode: &code, MissedRuns: &missed, PID: &pid, State: "waiting",
+		UnitPath: "/x.plist", Raw: "raw output", Warnings: []string{"w1"},
+	}, log)
+	Log(Info{}, log)
+}
diff --git a/internal/schtasks/schtasks.go b/internal/schtasks/schtasks.go
index 6a90f49..f9fd055 100644
--- a/internal/schtasks/schtasks.go
+++ b/internal/schtasks/schtasks.go
@@ -7,6 +7,8 @@ import (
 	osexec "os/exec"
 	"path/filepath"
 	"strconv"
+	"strings"
+	"unicode/utf16"
 
 	"github.com/step-security/dev-machine-guard/internal/config"
 	"github.com/step-security/dev-machine-guard/internal/executor"
@@ -19,6 +21,16 @@ const (
 	launcherName = "stepsecurity-dev-machine-guard-task.exe"
 )
 
+// TaskName is the Windows scheduled task name. Exported so other packages
+// (e.g. schedinfo) can query the task without re-deriving the constant.
+const TaskName = taskName
+
+// logonTaskName is the companion at-logon task. schtasks /create supports a
+// single trigger, so the at-logon catch-up trigger lives in its own task
+// alongside the hourly one. Both invoke `send-telemetry`; the singleton lock
+// serializes an overlapping logon+hourly fire so they never scan concurrently.
+const logonTaskName = taskName + " (Logon)"
+
 // IsTaskRegistered reports whether the Windows scheduled task created by
 // `dev-machine-guard install` is currently registered. Used by the
 // telemetry package's invocation detector to distinguish a manual CLI run
@@ -83,17 +95,29 @@ func Install(exec executor.Executor, log *progress.Logger) error {
 	stepHome := logDir
 
 	taskBinary := resolveTaskBinary(exec, binaryPath)
-	args := buildCreateArgs(taskBinary, stepHome, hours, exec.IsRoot())
+	hourlyArgs := buildCreateArgs(taskName, taskBinary, stepHome, []string{"/sc", "HOURLY", "/mo", strconv.Itoa(hours)}, exec.IsRoot())
 	log.Debug("schtasks create: task_binary=%q agent=%q install_dir=%q hours=%d is_admin=%v", taskBinary, binaryPath, stepHome, hours, exec.IsRoot())
 
-	_, stderr, exitCode, err := exec.Run(ctx, "schtasks", args...)
-	log.Debug("schtasks /create: exit_code=%d err=%v", exitCode, err)
+	_, stderr, exitCode, err := exec.Run(ctx, "schtasks", hourlyArgs...)
+	log.Debug("schtasks /create %q: exit_code=%d err=%v", taskName, exitCode, err)
 	if err != nil {
 		return fmt.Errorf("failed to create scheduled task: %w", err)
 	}
 	if exitCode != 0 {
 		return fmt.Errorf("failed to create scheduled task (exit code %d): %s", exitCode, stderr)
 	}
+	applyBatterySettings(ctx, exec, log, taskName)
+
+	// Companion at-logon task: makes login a catch-up trigger so a device
+	// that's been off/asleep scans on next sign-in rather than waiting for the
+	// next hourly tick. The singleton lock serializes an overlapping logon+hourly
+	// fire. Best-effort — a failure here leaves the hourly schedule fully functional.
+	logonArgs := buildCreateArgs(logonTaskName, taskBinary, stepHome, []string{"/sc", "ONLOGON"}, exec.IsRoot())
+	if _, lstderr, lexit, lerr := exec.Run(ctx, "schtasks", logonArgs...); lerr != nil || lexit != 0 {
+		log.Warn("could not create at-logon catch-up task (%v, exit %d): %s — hourly schedule still active", lerr, lexit, strings.TrimSpace(lstderr))
+	} else {
+		applyBatterySettings(ctx, exec, log, logonTaskName)
+	}
 
 	log.Progress("Windows Task Scheduler configuration completed successfully")
 	log.Progress("  Task: %s", taskName)
@@ -142,7 +166,7 @@ func Uninstall(exec executor.Executor, log *progress.Logger) error {
 
 func doUninstall(ctx context.Context, exec executor.Executor, log *progress.Logger) error {
 	_, stderr, exitCode, err := exec.Run(ctx, "schtasks", "/delete", "/tn", taskName, "/f")
-	log.Debug("schtasks /delete: exit_code=%d err=%v", exitCode, err)
+	log.Debug("schtasks /delete %q: exit_code=%d err=%v", taskName, exitCode, err)
 	if err != nil {
 		return fmt.Errorf("failed to delete scheduled task: %w", err)
 	}
@@ -150,6 +174,13 @@ func doUninstall(ctx context.Context, exec executor.Executor, log *progress.Logg
 		return fmt.Errorf("failed to delete scheduled task (exit code %d): %s", exitCode, stderr)
 	}
 
+	// Remove the companion at-logon task. Best-effort: it won't exist when
+	// upgrading from a version that predates it, and "not found" must not fail
+	// the uninstall.
+	if _, lstderr, lexit, lerr := exec.Run(ctx, "schtasks", "/delete", "/tn", logonTaskName, "/f"); lerr != nil || lexit != 0 {
+		log.Debug("schtasks /delete %q: exit_code=%d err=%v stderr=%q (ignored)", logonTaskName, lexit, lerr, strings.TrimSpace(lstderr))
+	}
+
 	log.Progress("Removed scheduled task: %s", taskName)
 	log.Progress("Windows Task Scheduler configuration removed successfully")
 	return nil
@@ -175,15 +206,17 @@ func resolveTaskBinary(exec executor.Executor, agentPath string) string {
 	return agentPath
 }
 
-// buildCreateArgs returns the schtasks /create arguments for the
-// periodic scan task. The task action invokes the binary directly
-// (no `cmd /c` wrapper) — env config and log routing both live in
-// the binary now (--install-dir + filelog), and the wrapper was the
-// source of a visible cmd.exe flash on every fire.
-func buildCreateArgs(binaryPath, stepHome string, hours int, isAdmin bool) []string {
+// buildCreateArgs returns the schtasks /create arguments for a scan task
+// with the given name and schedule spec (e.g. ["/sc","HOURLY","/mo","4"] or
+// ["/sc","ONLOGON"]). The task action invokes the binary directly (no `cmd /c`
+// wrapper) — env config and log routing both live in the binary now
+// (--install-dir + filelog), and the wrapper was the source of a visible
+// cmd.exe flash on every fire.
+func buildCreateArgs(name, binaryPath, stepHome string, schedule []string, isAdmin bool) []string {
 	taskCmd := fmt.Sprintf(`"%s" send-telemetry --install-dir="%s"`, binaryPath, stepHome)
-	args := []string{"/create", "/tn", taskName, "/tr", taskCmd,
-		"/sc", "HOURLY", "/mo", strconv.Itoa(hours), "/f"}
+	args := []string{"/create", "/tn", name, "/tr", taskCmd}
+	args = append(args, schedule...)
+	args = append(args, "/f")
 	if isAdmin {
 		// /ru INTERACTIVE binds the task to the NT AUTHORITY\INTERACTIVE
 		// well-known group (SID S-1-5-4) so it fires under the security
@@ -212,3 +245,141 @@ func resolveLogDir(exec executor.Executor) string {
 	}
 	return `C:\ProgramData\StepSecurity`
 }
+
+// applyBatterySettings re-imports the named task's XML with the power /
+// missed-run / retry settings that `schtasks /create` cannot set from the
+// command line: DisallowStartIfOnBatteries=false, StopIfGoingOnBatteries=false,
+// StartWhenAvailable=true, and RestartOnFailure (15 min, 3 attempts). The OS
+// defaults (battery-restricted, no catch-up, 1-minute retry) otherwise leave a
+// laptop on battery silently never firing the task and retry too aggressively.
+// Flow: query the task's generated XML, force the Settings, and re-import via
+// `schtasks /create /xml`. Pure schtasks.exe — no dependency on the PowerShell
+// ScheduledTasks module (absent on Server Core). Best-effort: any failure
+// leaves the task with default settings, which is still better than no task.
+func applyBatterySettings(ctx context.Context, exec executor.Executor, log *progress.Logger, name string) {
+	stdout, stderr, code, err := exec.Run(ctx, "schtasks", "/query", "/tn", name, "/xml")
+	if err != nil || code != 0 {
+		log.Warn("could not read XML for task %q (%v, exit %d): %s — keeping default battery settings", name, err, code, strings.TrimSpace(stderr))
+		return
+	}
+
+	patched, changed := patchBatterySettings(decodeTaskXML(stdout))
+	if !changed {
+		log.Debug("task %q already has the desired battery settings", name)
+		return
+	}
+
+	tmp, err := os.CreateTemp("", "stepsec-task-*.xml")
+	if err != nil {
+		log.Warn("could not create temp file to update task %q settings (%v) — keeping defaults", name, err)
+		return
+	}
+	tmpPath := tmp.Name()
+	defer func() { _ = os.Remove(tmpPath) }()
+	// schtasks /create /xml is happiest with UTF-16LE+BOM input across Windows
+	// versions, which is also what /query /xml emits.
+	_, werr := tmp.Write(encodeTaskXMLUTF16(patched))
+	_ = tmp.Close()
+	if werr != nil {
+		log.Warn("could not write temp XML for task %q (%v) — keeping defaults", name, werr)
+		return
+	}
+
+	if _, rstderr, rcode, rerr := exec.Run(ctx, "schtasks", "/create", "/tn", name, "/xml", tmpPath, "/f"); rerr != nil || rcode != 0 {
+		log.Warn("could not re-import task %q with battery settings (%v, exit %d): %s — keeping defaults", name, rerr, rcode, strings.TrimSpace(rstderr))
+		return
+	}
+	log.Debug("applied battery / StartWhenAvailable settings to task %q", name)
+}
+
+// retryInterval / retryCount control the on-failure retry: if a scheduled run
+// exits non-zero, Task Scheduler retries it after retryInterval, up to
+// retryCount times (vs the OS default of 1 minute). PT15M is ISO-8601 for 15
+// minutes.
+const (
+	retryInterval = "PT15M"
+	retryCount    = 3
+)
+
+// patchBatterySettings forces the power / missed-run settings (battery +
+// StartWhenAvailable) and the on-failure retry policy to the values we want,
+// inserting any the queried XML omitted. Returns the patched XML and whether
+// anything changed. All edits are schema-safe: battery / StartWhenAvailable
+// replace existing elements in place; RestartOnFailure is injected last in
+// <Settings> (where Task Scheduler itself serializes it), so the result stays
+// valid in a single re-import.
+func patchBatterySettings(xml string) (string, bool) {
+	out := xml
+	out = setXMLElement(out, "DisallowStartIfOnBatteries", "false")
+	out = setXMLElement(out, "StopIfGoingOnBatteries", "false")
+	out = setXMLElement(out, "StartWhenAvailable", "true")
+	out = setRestartOnFailure(out, retryInterval, retryCount)
+	return out, out != xml
+}
+
+// setRestartOnFailure forces <RestartOnFailure><Interval>..</Interval>
+// <Count>..</Count></RestartOnFailure> in xml: it replaces an existing block or
+// injects one just before </Settings> (RestartOnFailure is the trailing
+// settings element in Task Scheduler's own XML, so last is the right spot).
+func setRestartOnFailure(xml, interval string, count int) string {
+	block := fmt.Sprintf("<RestartOnFailure><Interval>%s</Interval><Count>%d</Count></RestartOnFailure>", interval, count)
+	if start := strings.Index(xml, "<RestartOnFailure>"); start >= 0 {
+		if rel := strings.Index(xml[start:], "</RestartOnFailure>"); rel >= 0 {
+			end := start + rel + len("</RestartOnFailure>")
+			return xml[:start] + block + xml[end:]
+		}
+	}
+	if i := strings.Index(xml, "</Settings>"); i >= 0 {
+		return xml[:i] + "  " + block + "\n  " + xml[i:]
+	}
+	return xml
+}
+
+// setXMLElement sets <tag>value</tag> in xml: it replaces the element's current
+// value if the element is present, otherwise injects the element just before
+// </Settings>. Returns xml unchanged only if there's no </Settings> to inject
+// into (no recognizable task XML).
+func setXMLElement(xml, tag, value string) string {
+	open, closeTag := "<"+tag+">", "</"+tag+">"
+	if start := strings.Index(xml, open); start >= 0 {
+		if rel := strings.Index(xml[start:], closeTag); rel >= 0 {
+			end := start + rel + len(closeTag)
+			return xml[:start] + open + value + closeTag + xml[end:]
+		}
+	}
+	if i := strings.Index(xml, "</Settings>"); i >= 0 {
+		return xml[:i] + "  " + open + value + closeTag + "\n  " + xml[i:]
+	}
+	return xml
+}
+
+// decodeTaskXML converts the bytes emitted by `schtasks /query /xml` to a UTF-8
+// string. That output is typically UTF-16LE with a BOM; UTF-8 (with or without
+// BOM) and plain ASCII are handled too.
+func decodeTaskXML(raw string) string {
+	b := []byte(raw)
+	switch {
+	case len(b) >= 2 && b[0] == 0xFF && b[1] == 0xFE: // UTF-16LE BOM
+		u16 := make([]uint16, 0, (len(b)-2)/2)
+		for i := 2; i+1 < len(b); i += 2 {
+			u16 = append(u16, uint16(b[i])|uint16(b[i+1])<<8)
+		}
+		return string(utf16.Decode(u16))
+	case len(b) >= 3 && b[0] == 0xEF && b[1] == 0xBB && b[2] == 0xBF: // UTF-8 BOM
+		return string(b[3:])
+	default:
+		return raw
+	}
+}
+
+// encodeTaskXMLUTF16 serializes a UTF-8 string to UTF-16LE with a BOM, the
+// form schtasks /create /xml accepts most reliably across Windows versions.
+func encodeTaskXMLUTF16(s string) []byte {
+	u16 := utf16.Encode([]rune(s))
+	out := make([]byte, 0, 2+len(u16)*2)
+	out = append(out, 0xFF, 0xFE) // UTF-16LE BOM
+	for _, u := range u16 {
+		out = append(out, byte(u), byte(u>>8))
+	}
+	return out
+}
diff --git a/internal/schtasks/schtasks_test.go b/internal/schtasks/schtasks_test.go
index c3363b1..5c6e1d8 100644
--- a/internal/schtasks/schtasks_test.go
+++ b/internal/schtasks/schtasks_test.go
@@ -2,6 +2,7 @@ package schtasks
 
 import (
 	"context"
+	"strconv"
 	"strings"
 	"testing"
 
@@ -103,8 +104,13 @@ func TestResolveLogDir_Admin(t *testing.T) {
 	}
 }
 
+// hourlySchedule mirrors what Install passes for the periodic task.
+func hourlySchedule(hours int) []string {
+	return []string{"/sc", "HOURLY", "/mo", strconv.Itoa(hours)}
+}
+
 func TestBuildCreateArgs_CustomFrequency(t *testing.T) {
-	args := buildCreateArgs(`C:\agent.exe`, `C:\logs`, 6, false)
+	args := buildCreateArgs(taskName, `C:\agent.exe`, `C:\logs`, hourlySchedule(6), false)
 
 	// Find the /mo argument and check its value
 	foundMo := false
@@ -122,7 +128,7 @@ func TestBuildCreateArgs_CustomFrequency(t *testing.T) {
 }
 
 func TestBuildCreateArgs_Admin(t *testing.T) {
-	args := buildCreateArgs(`C:\agent.exe`, `C:\ProgramData\StepSecurity`, 4, true)
+	args := buildCreateArgs(taskName, `C:\agent.exe`, `C:\ProgramData\StepSecurity`, hourlySchedule(4), true)
 
 	foundRU := false
 	for i, a := range args {
@@ -139,7 +145,7 @@ func TestBuildCreateArgs_Admin(t *testing.T) {
 }
 
 func TestBuildCreateArgs_NonAdmin(t *testing.T) {
-	args := buildCreateArgs(`C:\agent.exe`, `C:\logs`, 4, false)
+	args := buildCreateArgs(taskName, `C:\agent.exe`, `C:\logs`, hourlySchedule(4), false)
 
 	for _, a := range args {
 		if a == "/ru" {
@@ -148,6 +154,46 @@ func TestBuildCreateArgs_NonAdmin(t *testing.T) {
 	}
 }
 
+// The companion at-logon task uses /sc ONLOGON (no /mo) under its own name —
+// this is the Windows "run on load" trigger.
+func TestBuildCreateArgs_LogonTask(t *testing.T) {
+	args := buildCreateArgs(logonTaskName, `C:\agent.exe`, `C:\logs`, []string{"/sc", "ONLOGON"}, false)
+
+	if !argPairPresent(args, "/tn", logonTaskName) {
+		t.Errorf("expected /tn %q in logon task args: %v", logonTaskName, args)
+	}
+	if !argPairPresent(args, "/sc", "ONLOGON") {
+		t.Errorf("expected /sc ONLOGON in logon task args: %v", args)
+	}
+	for _, a := range args {
+		if a == "/mo" {
+			t.Errorf("logon (ONLOGON) task must not carry /mo: %v", args)
+		}
+	}
+}
+
+// trArg returns the value of the /tr argument (the task command).
+func trArg(t *testing.T, args []string) string {
+	t.Helper()
+	for i, a := range args {
+		if a == "/tr" && i+1 < len(args) {
+			return args[i+1]
+		}
+	}
+	t.Fatal("no /tr argument found")
+	return ""
+}
+
+// argPairPresent reports whether flag is immediately followed by value.
+func argPairPresent(args []string, flag, value string) bool {
+	for i, a := range args {
+		if a == flag && i+1 < len(args) && args[i+1] == value {
+			return true
+		}
+	}
+	return false
+}
+
 // When the launcher binary is co-installed (MSI layout) it must be
 // preferred over the agent so the scheduled task fires through the
 // GUI-subsystem wrapper.
@@ -206,18 +252,9 @@ func TestRunNow_NonZeroExit(t *testing.T) {
 // (the pre-fix form) spawns a console window every time Task Scheduler
 // fires the task under an interactive user session.
 func TestBuildCreateArgs_TaskCommandFormat(t *testing.T) {
-	args := buildCreateArgs(`C:\agent.exe`, `C:\ProgramData\StepSecurity`, 4, true)
+	args := buildCreateArgs(taskName, `C:\agent.exe`, `C:\ProgramData\StepSecurity`, hourlySchedule(4), true)
 
-	taskCmd := ""
-	for i, a := range args {
-		if a == "/tr" && i+1 < len(args) {
-			taskCmd = args[i+1]
-			break
-		}
-	}
-	if taskCmd == "" {
-		t.Fatal("no /tr argument found")
-	}
+	taskCmd := trArg(t, args)
 
 	if strings.Contains(strings.ToLower(taskCmd), "cmd /c") || strings.Contains(strings.ToLower(taskCmd), "cmd.exe") {
 		t.Errorf("task command must not wrap binary in cmd: %q", taskCmd)
@@ -235,3 +272,114 @@ func TestBuildCreateArgs_TaskCommandFormat(t *testing.T) {
 		t.Errorf("task command must not redirect output or set env vars: %q", taskCmd)
 	}
 }
+
+// schtasks /create can't set battery/missed-run settings from the command
+// line, so Install re-imports the task XML with them flipped. These exercise
+// the pure patch/encode helpers (the schtasks round-trip itself needs Windows).
+func TestPatchBatterySettings_FlipsPresentValues(t *testing.T) {
+	xml := "<Task><Settings>" +
+		"<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>" +
+		"<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>" +
+		"<StartWhenAvailable>false</StartWhenAvailable>" +
+		"<Enabled>true</Enabled></Settings></Task>"
+	out, changed := patchBatterySettings(xml)
+	if !changed {
+		t.Fatal("expected changed=true")
+	}
+	for _, want := range []string{
+		"<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>",
+		"<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>",
+		"<StartWhenAvailable>true</StartWhenAvailable>",
+	} {
+		if !strings.Contains(out, want) {
+			t.Errorf("patched XML missing %q:\n%s", want, out)
+		}
+	}
+	if strings.Contains(out, "<StartWhenAvailable>false</StartWhenAvailable>") {
+		t.Error("StartWhenAvailable should have flipped to true")
+	}
+}
+
+func TestPatchBatterySettings_InjectsMissing(t *testing.T) {
+	xml := "<Task><Settings><Enabled>true</Enabled></Settings></Task>"
+	out, changed := patchBatterySettings(xml)
+	if !changed {
+		t.Fatal("expected changed=true (settings injected)")
+	}
+	for _, want := range []string{
+		"<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>",
+		"<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>",
+		"<StartWhenAvailable>true</StartWhenAvailable>",
+		"</Settings>",
+	} {
+		if !strings.Contains(out, want) {
+			t.Errorf("injected XML missing %q:\n%s", want, out)
+		}
+	}
+}
+
+func TestPatchBatterySettings_NoopWhenAlreadyDesired(t *testing.T) {
+	xml := "<Task><Settings>" +
+		"<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>" +
+		"<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>" +
+		"<StartWhenAvailable>true</StartWhenAvailable>" +
+		"<RestartOnFailure><Interval>PT15M</Interval><Count>3</Count></RestartOnFailure>" +
+		"</Settings></Task>"
+	if _, changed := patchBatterySettings(xml); changed {
+		t.Error("expected changed=false when settings already desired")
+	}
+}
+
+func TestPatchBatterySettings_AddsRetryOnFailure(t *testing.T) {
+	xml := "<Task><Settings>" +
+		"<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>" +
+		"<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>" +
+		"<StartWhenAvailable>false</StartWhenAvailable>" +
+		"</Settings></Task>"
+	out, changed := patchBatterySettings(xml)
+	if !changed {
+		t.Fatal("expected changed=true")
+	}
+	if !strings.Contains(out, "<RestartOnFailure><Interval>PT15M</Interval><Count>3</Count></RestartOnFailure>") {
+		t.Errorf("expected RestartOnFailure block (15m / 3):\n%s", out)
+	}
+	// Must land inside <Settings>, not after it.
+	if strings.Index(out, "<RestartOnFailure>") > strings.Index(out, "</Settings>") {
+		t.Errorf("RestartOnFailure must be inside <Settings>:\n%s", out)
+	}
+}
+
+func TestSetRestartOnFailure_ReplacesExisting(t *testing.T) {
+	xml := "<Settings><RestartOnFailure><Interval>PT1M</Interval><Count>3</Count></RestartOnFailure></Settings>"
+	out := setRestartOnFailure(xml, "PT15M", 3)
+	if !strings.Contains(out, "<Interval>PT15M</Interval>") {
+		t.Errorf("expected interval replaced to PT15M:\n%s", out)
+	}
+	if strings.Contains(out, "PT1M") {
+		t.Error("old PT1M interval should be gone")
+	}
+	if n := strings.Count(out, "<RestartOnFailure>"); n != 1 {
+		t.Errorf("expected exactly one RestartOnFailure block, got %d:\n%s", n, out)
+	}
+}
+
+func TestTaskXMLEncodeDecode_RoundTrip(t *testing.T) {
+	orig := `<?xml version="1.0"?><Task><Settings><Enabled>true</Enabled></Settings></Task>`
+	encoded := encodeTaskXMLUTF16(orig)
+	if len(encoded) < 2 || encoded[0] != 0xFF || encoded[1] != 0xFE {
+		t.Fatal("encoded output must start with a UTF-16LE BOM")
+	}
+	if got := decodeTaskXML(string(encoded)); got != orig {
+		t.Errorf("round-trip mismatch:\n got %q\nwant %q", got, orig)
+	}
+}
+
+func TestDecodeTaskXML_UTF8(t *testing.T) {
+	s := "<Task/>"
+	if got := decodeTaskXML(s); got != s {
+		t.Errorf("UTF-8 passthrough = %q, want %q", got, s)
+	}
+	if got := decodeTaskXML("\xEF\xBB\xBF" + s); got != s {
+		t.Errorf("UTF-8 BOM strip = %q, want %q", got, s)
+	}
+}
diff --git a/internal/systemd/systemd.go b/internal/systemd/systemd.go
index 9021d41..101fa7c 100644
--- a/internal/systemd/systemd.go
+++ b/internal/systemd/systemd.go
@@ -29,6 +29,11 @@ func TimerUnitPath() string {
 	return filepath.Join(homeDir, ".config", "systemd", "user", unitName+".timer")
 }
 
+// ServiceUnitName returns the systemd user service unit name (e.g. for
+// `systemctl --user is-active`). Exported so the telemetry invocation detector
+// can probe whether the timer-launched service is currently running.
+func ServiceUnitName() string { return unitName + ".service" }
+
 // Install configures a systemd user timer for periodic scanning.
 // If already installed, upgrades by removing and re-creating the units.
 //
diff --git a/internal/telemetry/invocation.go b/internal/telemetry/invocation.go
index aef7f42..9b70634 100644
--- a/internal/telemetry/invocation.go
+++ b/internal/telemetry/invocation.go
@@ -1,9 +1,13 @@
 package telemetry
 
 import (
+	"context"
 	"os"
 	"runtime"
+	"strings"
+	"time"
 
+	"github.com/step-security/dev-machine-guard/internal/executor"
 	"github.com/step-security/dev-machine-guard/internal/launchd"
 	"github.com/step-security/dev-machine-guard/internal/schtasks"
 	"github.com/step-security/dev-machine-guard/internal/systemd"
@@ -16,20 +20,28 @@ const (
 	InvocationOneTime = "one_time"
 )
 
-// DetectInvocationMethod returns "install" when the dev-machine-guard
-// scheduler footprint is present on this machine, else "one_time".
+// jobStateProbeTimeout bounds the per-platform "is the scheduler job running"
+// probe so a slow launchctl/systemctl/powershell can't delay run start.
+const jobStateProbeTimeout = 3 * time.Second
+
+// DetectInvocationMethod reports whether THIS run was triggered by the installed
+// scheduler ("install") or started manually ("one_time").
 //
-// The check is best-effort and never returns an error: a stat failure or a
-// flaky schtasks call degrades to "one_time" so an unknown environment is
-// never misreported as an installed agent. Detection is filesystem-based on
-// darwin/linux and a single schtasks query on windows, so an agent rolled
-// out before this code shipped starts reporting "install" on its next
-// scheduled fire without any installer changes.
-func DetectInvocationMethod() string {
-	if isSchedulerInstalled() {
-		return InvocationInstall
+// A scheduler footprint on disk is necessary but not sufficient — a developer
+// can run `send-telemetry` by hand on a machine that also has the scheduler
+// installed, and the field/UI mean per-invocation (scheduled vs manual), not
+// "is a scheduler installed." So when a footprint exists we consult the live
+// job state: only when the scheduler job is CONFIRMED idle do we report a manual
+// run; if it's running, or the probe is inconclusive, we keep "install" so a
+// genuine scheduled run is never mislabeled. Best-effort and never errors.
+func DetectInvocationMethod(exec executor.Executor) string {
+	if !isSchedulerInstalled() {
+		return InvocationOneTime
+	}
+	if idle, known := schedulerJobIdle(exec); known && idle {
+		return InvocationOneTime
 	}
-	return InvocationOneTime
+	return InvocationInstall
 }
 
 func isSchedulerInstalled() bool {
@@ -45,6 +57,54 @@ func isSchedulerInstalled() bool {
 	}
 }
 
+// schedulerJobIdle reports whether the scheduler job/task is CONFIRMED not
+// currently running. The second return is false when the state can't be
+// determined (probe failed / unsupported), so callers fail safe to "install".
+// The signals are locale-independent: launchctl's "PID" key, systemctl's fixed
+// active/activating states, and Get-ScheduledTask's State enum (NOT schtasks
+// /query's localized Status field).
+func schedulerJobIdle(exec executor.Executor) (idle, known bool) {
+	switch runtime.GOOS {
+	case "darwin":
+		// `launchctl list <label>` prints a "PID" key only while the job runs.
+		out, _, code, err := exec.RunWithTimeout(context.Background(), jobStateProbeTimeout, "launchctl", "list", launchd.Label)
+		if err != nil || code != 0 {
+			return false, false
+		}
+		return !strings.Contains(out, `"PID"`), true
+	case "linux":
+		// is-active prints active/activating while the oneshot service runs;
+		// inactive/failed when idle. Fixed strings, not localized.
+		out, _, _, err := exec.RunWithTimeout(context.Background(), jobStateProbeTimeout, "systemctl", "--user", "is-active", systemd.ServiceUnitName())
+		if err != nil {
+			return false, false
+		}
+		state := strings.TrimSpace(out)
+		if state == "" {
+			return false, false
+		}
+		running := state == "active" || state == "activating"
+		return !running, true
+	case "windows":
+		// Get-ScheduledTask's State enum (Ready/Running/...) is locale-independent,
+		// unlike schtasks /query's localized Status. Absent on Server Core minimal
+		// (no ScheduledTasks module) → probe fails → inconclusive → keep "install".
+		out, _, code, err := exec.RunWithTimeout(context.Background(), jobStateProbeTimeout,
+			"powershell", "-NoProfile", "-NonInteractive", "-Command",
+			"(Get-ScheduledTask -TaskName '"+schtasks.TaskName+"').State")
+		if err != nil || code != 0 {
+			return false, false
+		}
+		state := strings.TrimSpace(out)
+		if state == "" {
+			return false, false
+		}
+		return !strings.EqualFold(state, "Running"), true
+	default:
+		return false, false
+	}
+}
+
 func fileExists(path string) bool {
 	if path == "" {
 		return false
diff --git a/internal/telemetry/invocation_test.go b/internal/telemetry/invocation_test.go
index 31548f3..8e230b3 100644
--- a/internal/telemetry/invocation_test.go
+++ b/internal/telemetry/invocation_test.go
@@ -7,6 +7,7 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/step-security/dev-machine-guard/internal/executor"
 	"github.com/step-security/dev-machine-guard/internal/launchd"
 	"github.com/step-security/dev-machine-guard/internal/systemd"
 )
@@ -42,7 +43,7 @@ func TestFileExists(t *testing.T) {
 // real machine. The result is whatever the current dev box reports; we can
 // only assert the value is one of the two valid wire-format strings.
 func TestDetectInvocationMethod_HostMachine(t *testing.T) {
-	got := DetectInvocationMethod()
+	got := DetectInvocationMethod(executor.NewReal())
 	if got != InvocationInstall && got != InvocationOneTime {
 		t.Fatalf("DetectInvocationMethod returned %q, want %q or %q",
 			got, InvocationInstall, InvocationOneTime)
@@ -86,9 +87,14 @@ func TestDetectInvocationMethod_RespondsToFilesystem(t *testing.T) {
 		t.Fatalf("resolved path %q escaped tempHome %q — env sandbox is not effective", path, tempHome)
 	}
 
+	// Mock executor with no command stubs: the live job-state probe errors out
+	// → "inconclusive" → detection falls back to the footprint, which is what
+	// this test exercises.
+	mock := executor.NewMock()
+
 	// Fresh temp home — detector starts at one_time, flips to install when
 	// the marker appears, flips back when it's removed.
-	if got := DetectInvocationMethod(); got != InvocationOneTime {
+	if got := DetectInvocationMethod(mock); got != InvocationOneTime {
 		t.Fatalf("on clean temp home, detector returned %q, want %q",
 			got, InvocationOneTime)
 	}
@@ -102,7 +108,7 @@ func TestDetectInvocationMethod_RespondsToFilesystem(t *testing.T) {
 	// No explicit cleanup: everything lives under t.TempDir() and is
 	// removed by the testing framework when the test ends.
 
-	if got := DetectInvocationMethod(); got != InvocationInstall {
+	if got := DetectInvocationMethod(mock); got != InvocationInstall {
 		t.Fatalf("after creating %q, detector returned %q, want %q",
 			path, got, InvocationInstall)
 	}
@@ -113,8 +119,55 @@ func TestDetectInvocationMethod_RespondsToFilesystem(t *testing.T) {
 		t.Fatalf("remove fake artifact: %v", err)
 	}
 
-	if got := DetectInvocationMethod(); got != InvocationOneTime {
+	if got := DetectInvocationMethod(mock); got != InvocationOneTime {
 		t.Fatalf("after removing %q, detector returned %q, want %q",
 			path, got, InvocationOneTime)
 	}
 }
+
+// TestDetectInvocationMethod_RunningState covers the per-invocation logic on
+// macOS: with a scheduler footprint present, the live launchd job state decides
+// scheduler-triggered (PID running) vs manual (idle), and an inconclusive probe
+// stays "install" so a real scheduled run is never mislabeled. macOS-only
+// because schedulerJobIdle's probe command is platform-specific (keyed on the
+// test host's runtime.GOOS).
+func TestDetectInvocationMethod_RunningState(t *testing.T) {
+	if runtime.GOOS != "darwin" {
+		t.Skip("darwin-specific launchctl probe")
+	}
+
+	tempHome := t.TempDir()
+	t.Setenv("HOME", tempHome)
+	t.Setenv("USERPROFILE", tempHome)
+
+	// Create the footprint so isSchedulerInstalled() reports installed.
+	plist := launchd.UserPlistPath()
+	if plist == "" || !strings.HasPrefix(plist, tempHome) {
+		t.Skipf("plist path %q not sandboxed under %q", plist, tempHome)
+	}
+	if err := os.MkdirAll(filepath.Dir(plist), 0o755); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(plist, []byte("x"), 0o600); err != nil {
+		t.Fatal(err)
+	}
+
+	// Job running (launchctl list shows a PID) → scheduler-triggered → install.
+	running := executor.NewMock()
+	running.SetCommand(`{ "PID" = 123; "Label" = "com.stepsecurity.agent"; };`, "", 0, "launchctl", "list", launchd.Label)
+	if got := DetectInvocationMethod(running); got != InvocationInstall {
+		t.Errorf("running job: got %q, want %q", got, InvocationInstall)
+	}
+
+	// Job idle (no PID) → manual run on an installed machine → one_time.
+	idle := executor.NewMock()
+	idle.SetCommand(`{ "Label" = "com.stepsecurity.agent"; "LastExitStatus" = 0; };`, "", 0, "launchctl", "list", launchd.Label)
+	if got := DetectInvocationMethod(idle); got != InvocationOneTime {
+		t.Errorf("idle job: got %q, want %q", got, InvocationOneTime)
+	}
+
+	// Inconclusive probe (unstubbed → error) → keep install, never mislabel.
+	if got := DetectInvocationMethod(executor.NewMock()); got != InvocationInstall {
+		t.Errorf("inconclusive probe: got %q, want %q", got, InvocationInstall)
+	}
+}
diff --git a/internal/telemetry/phase_deadline.go b/internal/telemetry/phase_deadline.go
index f5b3c8d..a5c9ddc 100644
--- a/internal/telemetry/phase_deadline.go
+++ b/internal/telemetry/phase_deadline.go
@@ -25,6 +25,7 @@ import (
 // "Disabled" means no per-phase deadline; the parent scan deadline
 // (STEPSEC_MAX_SCAN_DURATION) and the whole-process watchdog still apply.
 var phaseBudgets = map[string]time.Duration{
+	"scheduler_info":      15 * time.Second,
 	"device_info":         30 * time.Second,
 	"ide_scan":            2 * time.Minute,
 	"extension_scan":      2 * time.Minute,
diff --git a/internal/telemetry/telemetry.go b/internal/telemetry/telemetry.go
index 573e67a..6c3f716 100644
--- a/internal/telemetry/telemetry.go
+++ b/internal/telemetry/telemetry.go
@@ -28,6 +28,7 @@ import (
 	"github.com/step-security/dev-machine-guard/internal/model"
 	"github.com/step-security/dev-machine-guard/internal/paths"
 	"github.com/step-security/dev-machine-guard/internal/progress"
+	"github.com/step-security/dev-machine-guard/internal/schedinfo"
 	"github.com/step-security/dev-machine-guard/internal/state"
 	"github.com/step-security/dev-machine-guard/internal/tcc"
 )
@@ -164,7 +165,7 @@ func Run(exec executor.Executor, log *progress.Logger, cfg *cli.Config) (err err
 	// Detect invocation method once at run start: "install" if the platform's
 	// scheduler footprint is on disk, else "one_time". Threaded into every
 	// run-status post and stamped on the final payload.
-	invocationMethod := DetectInvocationMethod()
+	invocationMethod := DetectInvocationMethod(exec)
 
 	// Phase tracker accumulates per-analysis-section completions so the
 	// backend can surface in-flight progress on the console. Reads from the
@@ -359,7 +360,28 @@ func Run(exec executor.Executor, log *progress.Logger, cfg *cli.Config) (err err
 	}()
 	log.Progress("Lock acquired (PID: %d)", os.Getpid())
 
-	// Device info — first tracked phase. Completes before the "started"
+	// Scheduler info — first tracked phase. Gathers launchd/schtasks/systemd
+	// state (interval, last/next run, RunAtLoad, last exit, missed runs) for
+	// troubleshooting; see docs/launchd-troubleshooting.md. Best-effort —
+	// schedinfo.Gather uses short per-query timeouts and never errors. Like
+	// device_info it completes before the "started" post (so the first
+	// heartbeat includes it), but postPhase() is intentionally NOT called
+	// here: the backend has no run-status row to upsert into until that post,
+	// so this phase's completion ships in the first postPhase() below.
+	schedCtx, schedCancel := startPhase(ctx, tracker, "scheduler_info")
+	log.Progress("Gathering scheduler information...")
+	schedinfo.Log(schedinfo.Gather(schedCtx, exec), log)
+	// Authoritative trigger for this run (same value uploaded as invocation_method
+	// and shown as the Scheduled/Manual badge in the console) — logged here for
+	// at-a-glance triage in agent.log.
+	if invocationMethod == InvocationInstall {
+		log.Progress("  This run: scheduler-triggered (invocation_method=install)")
+	} else {
+		log.Progress("  This run: manual (invocation_method=one_time)")
+	}
+	endPhase(schedCtx, schedCancel, tracker, log, "scheduler_info")
+
+	// Device info — second tracked phase. Completes before the "started"
 	// post so the first heartbeat already includes it in phases_completed.
 	phaseCtx, phaseCancel := startPhase(ctx, tracker, "device_info")
 	log.Progress("Gathering device information...")