Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Restart Windows 10 and 11 from MDE

Iron Contributor


I need to be able to restart some Windows 10 and 11 due to the application of updates.

Is it possible to force a Windows restart from the MDE interface or by any query?


24 Replies

@Stephen Kerkmann 

I do have the same feeling, that sometimes the information is not accurate, but in fact I didn't had a chance to look at it deeply to find something which doesn't make sense and report it to Microsoft.

Also, as you need to wait 24h more or less for the update to reach Defender portal, it's quite difficult to manage testing.

@dmarquesgn as it has been some time since I used this script, so I made it from scratch to be 100% I will be answering your question.


Just open notepad, write:

Restart-Computer -Force

save it as "Restart-Computer.ps1"


Then head to Microsoft 365 Defender, locate the endpoint and commence live response.  Click "Upload file to library" and put a description and hit Confirm.


Once the script is in the library, at live response type of the endpoint of interest hit:

run Restart-Computer.ps1

You will then see a message "Transcript started, output file is..." and hence, your restart should have taken place.


I tested it while writing this, and it worked.




When I meant writting a script, it's not for the restart command, I meant the full process, which is basically what I have in mind more or less this:

- Get all devices which have the pending restart tag

- Exclude servers from the list

- Start the live response on each one of those devices, copy the script and run it

- Save the results as logging to a centralized place


Sorry @dmarquesgn for my misunderstanding. I haven't done what you describe, but per my perspective I would utilize Sentinel Automation Playbooks for this case. 

- Point 1 can be covered through Graph API, unfortunately Tags are not available through KQL.

- Point 2 would utilize some KQL to remove "servers"

- Point 3 can be done through Defender for Endpoint options at Logic App (see screenshot below)

- Point 4 would probably have to loop in point 1 to recheck which endpoints would have the relevant tag removed hence they would have restarted successfully.



Hope this helped, but definitely needs a lot of work to deploy.


I would say that the only possible way to automate most of it is using Powershell, as it's able to interact with all those technologies, but I'm not sure if for example we can run Live Incident Response by powershell module. It's something to look at.