SOLVED

Defender for Endpoint onboarding causes force reboot?

%3CLINGO-SUB%20id%3D%22lingo-sub-2243905%22%20slang%3D%22en-US%22%3EDefender%20for%20Endpoint%20onboarding%20causes%20force%20reboot%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2243905%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20known%20that%20in%20some%20cases%20onboarding%20to%20Defender%20for%20Endpoint%20can%20cause%20force%20reboot%20with%202%20minute%20notice%3F%20Do%20we%20know%20when%20the%20reboot%20is%20forced%20and%20why%20for%20others%20this%20reboot%20does%20not%20happen%3F%20Is%20there%20some%20dependencies%20that%20need%20to%20be%20present%20(installed)%20if%20not%20exists%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2244239%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20for%20Endpoint%20onboarding%20causes%20force%20reboot%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2244239%22%20slang%3D%22en-US%22%3EI%20haven't%20had%20this%20issue%20before.%20What%20OS%20do%20you%20have%20the%20issue%20with%3F%3CBR%20%2F%3EAre%20you%20removing%20other%20AV%20software%20at%20the%20same%20time%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2245254%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20for%20Endpoint%20onboarding%20causes%20force%20reboot%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2245254%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3BI%20cannot%20get%20my%20hands%20on%20a%20test%20device%20where%20I%20could%20do%20proper%20testing%20of%20onboarding%20due%20to%20covid-restrictions.%20I%20work%20for%20MSP%20so%20these%20devices%20are%20not%20from%20my%20own%20organization.%20This%20is%20also%20why%20I%20don't%20have%20full%20access%20to%20these%20devices%20(which%20are%20Windows%2010%202004)%20and%20I%20cannot%20see%20event%20viewer%20which%20would%20tell%20me%20something%20of%20the%20reboot.%20So%20it's%20not%20100%25%20verified%20that%20the%20reboot%20is%20caused%20by%20the%20onboarding%2C%20but%20out%20of%204%20devices%20that%20were%20onboarded%203%20got%20forcefully%20rebooted%20within%20an%20hour%20of%20onboarding.%20No%20one%20else's%20device%20force%20rebooted%20during%20the%20day%20that%20day.%20So%20I'm%20suspecting%20it's%20the%20MD%20for%20Endpoint%20onboarding.%20They%20have%20Microsoft%20Defender%20Antivirus%20in%20use%2C%20no%20other%20AV%20solution%20installed.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20mentioned%20%22issue%22.%20So%20you'd%20categorize%20force%20reboot%20during%20onboarding%20an%20%22issue%22%3F%20I%20have%20done%20just%20a%20few%20onboardings%20but%20mostly%20servers%20thus%20far.%20They%20did%20not%20reboot%20as%20far%20as%20I%20can%20remember.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2246423%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20for%20Endpoint%20onboarding%20causes%20force%20reboot%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2246423%22%20slang%3D%22en-US%22%3EYes%2C%20I%20haven't%20had%20it%20that%20computers%20rebooted%20after%20deployment.%3CBR%20%2F%3EI%20did%20an%20onboarding%20last%20week%20on%20Windows%2010%201909%20and%20didn't%20get%20any%20issue.%3CBR%20%2F%3EI%20think%20it%20might%20be%20another%20application%20forcing%20the%20reboot%20as%20I%20haven't%20heard%20any%20reports%20on%20this%20(maybe%20somebody%20from%20Microsoft%20can%20confirm)%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2269046%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20for%20Endpoint%20onboarding%20causes%20force%20reboot%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2269046%22%20slang%3D%22en-US%22%3E%3CDIV%3EThis%20most%20likely%20isn't%20Microsoft%20Defender%20for%20Endpoint%20causing%20the%20reboot%20--%20but%20it's%20hard%20to%20tell%20with%20limited%20information.%20Can%20you%20open%20a%20support%20case%20or%20provide%20more%20details%20here%3F%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2269641%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20for%20Endpoint%20onboarding%20causes%20force%20reboot%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2269641%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20are%20most%20likely%20right.%20I've%20come%20to%20believe%20that%20there%20is%20other%20configuration%20being%20pushed%20at%20the%20same%20time%20as%20the%20MDE%20onboarding%20happens%20and%20one%20of%20those%20changes%20causes%20force%20reboot.%20I%20just%20do%20not%20know%20which%20one.%20But%20all%20in%20all%20it%20is%20most%20definitely%20something%20else.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2269940%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20for%20Endpoint%20onboarding%20causes%20force%20reboot%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2269940%22%20slang%3D%22en-US%22%3EDid%20you%20configure%20an%20Application%20Control%20Policy%20as%20a%20part%20of%20the%20onboarding%3F%20We've%20noticed%20this%20does%20trigger%20a%20reboot%20without%20notification%20or%20cancellation%20option.%20Even%20with%20the%20option%20not%20to%20reboot%20enforced%2C%20it%20still%20reboots%20...%3CBR%20%2F%3E%3CBR%20%2F%3EMaybe%20that's%20the%20same%20situation%3F%20More%20information%20can%20be%20found%20here%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.reddit.com%2Fr%2FIntune%2Fcomments%2Flwmx00%2Fdefender_application_control_forced_restarts%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.reddit.com%2Fr%2FIntune%2Fcomments%2Flwmx00%2Fdefender_application_control_forced_restarts%2F%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2303387%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20for%20Endpoint%20onboarding%20causes%20force%20reboot%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2303387%22%20slang%3D%22en-US%22%3EOh%20Yes%20sir%20I%20did!%20Thanks%20for%20the%20link!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2313482%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20for%20Endpoint%20onboarding%20causes%20force%20reboot%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2313482%22%20slang%3D%22en-US%22%3EYou're%20welcome!%20%3B)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Is it known that in some cases onboarding to Defender for Endpoint can cause force reboot with 2 minute notice? Do we know when the reboot is forced and why for others this reboot does not happen? Is there some dependencies that need to be present (installed) if not exists?

8 Replies
I haven't had this issue before. What OS do you have the issue with?
Are you removing other AV software at the same time?

@Thijs Lecomte I cannot get my hands on a test device where I could do proper testing of onboarding due to covid-restrictions. I work for MSP so these devices are not from my own organization. This is also why I don't have full access to these devices (which are Windows 10 2004) and I cannot see event viewer which would tell me something of the reboot. So it's not 100% verified that the reboot is caused by the onboarding, but out of 4 devices that were onboarded 3 got forcefully rebooted within an hour of onboarding. No one else's device force rebooted during the day that day. So I'm suspecting it's the MD for Endpoint onboarding. They have Microsoft Defender Antivirus in use, no other AV solution installed.

You mentioned "issue". So you'd categorize force reboot during onboarding an "issue"? I have done just a few onboardings but mostly servers thus far. They did not reboot as far as I can remember.

Yes, I haven't had it that computers rebooted after deployment.
I did an onboarding last week on Windows 10 1909 and didn't get any issue.
I think it might be another application forcing the reboot as I haven't heard any reports on this (maybe somebody from Microsoft can confirm)
best response confirmed by tommihovi (Occasional Contributor)
Solution
This most likely isn't Microsoft Defender for Endpoint causing the reboot -- but it's hard to tell with limited information. Can you open a support case or provide more details here?

You are most likely right. I've come to believe that there is other configuration being pushed at the same time as the MDE onboarding happens and one of those changes causes force reboot. I just do not know which one. But all in all it is most definitely something else.

Did you configure an Application Control Policy as a part of the onboarding? We've noticed this does trigger a reboot without notification or cancellation option. Even with the option not to reboot enforced, it still reboots ...

Maybe that's the same situation? More information can be found here:

https://www.reddit.com/r/Intune/comments/lwmx00/defender_application_control_forced_restarts/
Oh Yes sir I did! Thanks for the link!
You're welcome! ;)