Forum Discussion

dmarquesgn's avatar
dmarquesgn
Iron Contributor
Mar 13, 2023

Restart Windows 10 and 11 from MDE

Hi, I need to be able to restart some Windows 10 and 11 due to the application of updates. Is it possible to force a Windows restart from the MDE interface or by any query? Thanks
dmarquesgn's avatar
dmarquesgn
Iron Contributor
May 15, 2023

cyb3rmik3 

Hi, yes, I was replying to all who posted.

And do you have any script that you made or actually was manual testing?

cyb3rmik3's avatar
cyb3rmik3
Icon for Microsoft rankMicrosoft
May 15, 2023

dmarquesgn as it has been some time since I used this script, so I made it from scratch to be 100% I will be answering your question.

 

Just open notepad, write:

Restart-Computer -Force

save it as "Restart-Computer.ps1"

 

Then head to Microsoft 365 Defender, locate the endpoint and commence live response.  Click "Upload file to library" and put a description and hit Confirm.

 

Once the script is in the library, at live response type of the endpoint of interest hit:

run Restart-Computer.ps1

You will then see a message "Transcript started, output file is..." and hence, your restart should have taken place.

 

I tested it while writing this, and it worked.

 

  • dmarquesgn's avatar
    dmarquesgn
    Iron Contributor
    May 15, 2023

    cyb3rmik3 

    I would say that the only possible way to automate most of it is using Powershell, as it's able to interact with all those technologies, but I'm not sure if for example we can run Live Incident Response by powershell module. It's something to look at.

  • cyb3rmik3's avatar
    cyb3rmik3
    Icon for Microsoft rankMicrosoft
    May 15, 2023

    Sorry dmarquesgn for my misunderstanding. I haven't done what you describe, but per my perspective I would utilize Sentinel Automation Playbooks for this case. 

    - Point 1 can be covered through Graph API, unfortunately Tags are not available through KQL.

    - Point 2 would utilize some KQL to remove "servers"

    - Point 3 can be done through Defender for Endpoint options at Logic App (see screenshot below)

    - Point 4 would probably have to loop in point 1 to recheck which endpoints would have the relevant tag removed hence they would have restarted successfully.

     

    Hope this helped, but definitely needs a lot of work to deploy.

  • dmarquesgn's avatar
    dmarquesgn
    Iron Contributor
    May 15, 2023

    cyb3rmik3 

    Hi,

    When I meant writting a script, it's not for the restart command, I meant the full process, which is basically what I have in mind more or less this:

    - Get all devices which have the pending restart tag

    - Exclude servers from the list

    - Start the live response on each one of those devices, copy the script and run it

    - Save the results as logging to a centralized place