Forum Discussion

dmarquesgn's avatar
dmarquesgn
Iron Contributor
Mar 13, 2023

Restart Windows 10 and 11 from MDE

Hi, I need to be able to restart some Windows 10 and 11 due to the application of updates. Is it possible to force a Windows restart from the MDE interface or by any query? Thanks
cyb3rmik3's avatar
cyb3rmik3
Icon for Microsoft rankMicrosoft
May 15, 2023

Sorry dmarquesgn for my misunderstanding. I haven't done what you describe, but per my perspective I would utilize Sentinel Automation Playbooks for this case. 

- Point 1 can be covered through Graph API, unfortunately Tags are not available through KQL.

- Point 2 would utilize some KQL to remove "servers"

- Point 3 can be done through Defender for Endpoint options at Logic App (see screenshot below)

- Point 4 would probably have to loop in point 1 to recheck which endpoints would have the relevant tag removed hence they would have restarted successfully.

 

Hope this helped, but definitely needs a lot of work to deploy.

dmarquesgn's avatar
dmarquesgn
Iron Contributor
May 15, 2023

cyb3rmik3 

I would say that the only possible way to automate most of it is using Powershell, as it's able to interact with all those technologies, but I'm not sure if for example we can run Live Incident Response by powershell module. It's something to look at.