Forum Discussion
Restart Windows 10 and 11 from MDE
Hi,
When I meant writting a script, it's not for the restart command, I meant the full process, which is basically what I have in mind more or less this:
- Get all devices which have the pending restart tag
- Exclude servers from the list
- Start the live response on each one of those devices, copy the script and run it
- Save the results as logging to a centralized place
MicrosoftSorry dmarquesgn for my misunderstanding. I haven't done what you describe, but per my perspective I would utilize Sentinel Automation Playbooks for this case.
- Point 1 can be covered through Graph API, unfortunately Tags are not available through KQL.
- Point 2 would utilize some KQL to remove "servers"
- Point 3 can be done through Defender for Endpoint options at Logic App (see screenshot below)
- Point 4 would probably have to loop in point 1 to recheck which endpoints would have the relevant tag removed hence they would have restarted successfully.
Hope this helped, but definitely needs a lot of work to deploy.
I would say that the only possible way to automate most of it is using Powershell, as it's able to interact with all those technologies, but I'm not sure if for example we can run Live Incident Response by powershell module. It's something to look at.