Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Restart Windows 10 and 11 from MDE

Iron Contributor

Hi,

I need to be able to restart some Windows 10 and 11 due to the application of updates.

Is it possible to force a Windows restart from the MDE interface or by any query?

Thanks

24 Replies
Hi,
Thanks for the reply. I know in Intune I can restart the machines, but that raises a lot of issues. This way I would have to create a script, to check for something within Defender, and then issue a restart request to Intune to those specific machines.
Also, does Intune allows any control over the restart, like confirmation, timings, etc?
Thanks
Don’t really understand the ask here. Application of which updates? OS?
Unfortunately not. Here is no any information for user and restart should be performed immediately. But if you want to play with scripts you can write powershell script (force restart) and upload and run this script using Live Response session. But it's a long process.
Yes, the goal is to guarantee that the restart is done to force the Windows update process.
Thanks, I see where you're going, which is a quite interesting path, even though it would be something really hard.
If the machines are on the network, I have means to restart them. I would have to find a way to integrate stuff, but the main problem is the machines which are out of the network.
Ok. I am not quite sure why you want to leverage Defender to achieve status against a device reboot. Maybe this is a specific use case, but normally Intune will be go to tool to manage security updates if you are licensed and the devices are enrolled. Maybe look at update rings and custom compliance in Intune if not already done.

@rahuljindal-MVP 

I have Intune configured to deploy the security updates. Our Intune policy is what's on the screenhot below.

Screenshot_6.png

So, the last option means the machine should be auto restarted after grace period right?
What I've seen is that from about 2000 machines, more or less 100 of them each month do not complete the update, because they miss the restart, staying in pending. So I need to find out any way to be able to force the restart to be sure the patch was deployed.

Thanks

Do they report pending or they actually don’t restart?
Hi, they actually report pending restart. I'm not totally sure if the problem is that the machine did not restart (according to Defender) or if there's any other issue.
That's why I would like to be able to issue a restart, so then I could check if Defender already removed the tag "Pending Restart" and considers the vulnerability fixed.

@dmarquesgn sorry, but can you share where are you seeing pending system reset in  Defender so that I be certain what and where you are looking at? Also, as for the pending restart itself, if this is also reporting in Intune Windows update reports, then you can send a PS or proactive remediation script for a pending reboot and initiate a reboot. However, forcing a reboot on end user devices is not something I’ll recommend. 

@rahuljindal-MVP 

Hi,

Here you have a screenshot of where I can see that.

 

Screenshot_3_censored.jpg

Thanks. In my experience, this information is never up to date. I will suggest to pull the information on reboot from the devices using Intune itself.

@dmarquesgn . Was there a resolution to this issue. I have been having this issue since February/March 2023...Stephen

Hello @dmarquesgn,

 

while there is no restart option through the GUI of M365 Defender, you can try the following:

  • Perform a live response at the endpoint of interest
  • Create a powershell script containing "Restart-Computer -Force" command
  • Upload it in the library
  • Run the .ps1 script

If a user is logged in, you will probably see an error indicating "The system shutdown cannot be initiated because there are other users logged on to the computer.". Otherwise, the endpoint will restart.

 

If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like

Hi,
I did not found a solution for the problem. I have a couple of ideas to solve the issue, but I didn't yet had time to start developing some scripts to do what I need.
As soon as I do so I'll update this topic.

Hello @dmarquesgn,

 

did you give my reply above a try? Before answering you I tried the solution in a lab environment and it worked. If you need any further help, please let me know.

 

 

For reference. I don't believe the issue is that the computer needs to be restarted. My computer has this issue and I have restarted several times. I even tried to manually do the Windows Update with no luck. For April quality update I downloaded and installed the KB manually which worked but now the May update is doing the same pending restart thing again.

@cyb3rmik3 

Hi, yes, I was replying to all who posted.

And do you have any script that you made or actually was manual testing?