Forum Discussion
Restart Windows 10 and 11 from MDE
dmarquesgn sorry, but can you share where are you seeing pending system reset in Defender so that I be certain what and where you are looking at? Also, as for the pending restart itself, if this is also reporting in Intune Windows update reports, then you can send a PS or proactive remediation script for a pending reboot and initiate a reboot. However, forcing a reboot on end user devices is not something I’ll recommend.
I would say that the only possible way to automate most of it is using Powershell, as it's able to interact with all those technologies, but I'm not sure if for example we can run Live Incident Response by powershell module. It's something to look at.
Sorry dmarquesgn for my misunderstanding. I haven't done what you describe, but per my perspective I would utilize Sentinel Automation Playbooks for this case.
- Point 1 can be covered through Graph API, unfortunately Tags are not available through KQL.
- Point 2 would utilize some KQL to remove "servers"
- Point 3 can be done through Defender for Endpoint options at Logic App (see screenshot below)
- Point 4 would probably have to loop in point 1 to recheck which endpoints would have the relevant tag removed hence they would have restarted successfully.
Hope this helped, but definitely needs a lot of work to deploy.
Hi,
When I meant writting a script, it's not for the restart command, I meant the full process, which is basically what I have in mind more or less this:
- Get all devices which have the pending restart tag
- Exclude servers from the list
- Start the live response on each one of those devices, copy the script and run it
- Save the results as logging to a centralized place
dmarquesgn as it has been some time since I used this script, so I made it from scratch to be 100% I will be answering your question.
Just open notepad, write:
Restart-Computer -Forcesave it as "Restart-Computer.ps1"
Then head to Microsoft 365 Defender, locate the endpoint and commence live response. Click "Upload file to library" and put a description and hit Confirm.
Once the script is in the library, at live response type of the endpoint of interest hit:
run Restart-Computer.ps1You will then see a message "Transcript started, output file is..." and hence, your restart should have taken place.
I tested it while writing this, and it worked.
I do have the same feeling, that sometimes the information is not accurate, but in fact I didn't had a chance to look at it deeply to find something which doesn't make sense and report it to Microsoft.
Also, as you need to wait 24h more or less for the update to reach Defender portal, it's quite difficult to manage testing.
Hi, yes, I was replying to all who posted.
And do you have any script that you made or actually was manual testing?
- For reference. I don't believe the issue is that the computer needs to be restarted. My computer has this issue and I have restarted several times. I even tried to manually do the Windows Update with no luck. For April quality update I downloaded and installed the KB manually which worked but now the May update is doing the same pending restart thing again.
Hello dmarquesgn,
did you give my reply above a try? Before answering you I tried the solution in a lab environment and it worked. If you need any further help, please let me know.
- Hi,
I did not found a solution for the problem. I have a couple of ideas to solve the issue, but I didn't yet had time to start developing some scripts to do what I need.
As soon as I do so I'll update this topic. dmarquesgn . Was there a resolution to this issue. I have been having this issue since February/March 2023...Stephen
