SOLVED

Could Intune be the cause of unwanted restarts?

%3CLINGO-SUB%20id%3D%22lingo-sub-1736334%22%20slang%3D%22en-US%22%3ECould%20Intune%20be%20the%20cause%20of%20unwanted%20restarts%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1736334%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20an%20Intune%20environment%20that%20I%20am%20currently%20working%20on%20pushing%20out%20an%20endpoint%20protection%20profile.%20There%20was%20an%20older%20endpoint%20protection%20profile%20that%20only%20pushed%20app%20control%20as%20%22audit-only%22.%20This%20profile%20had%20finished%20updating%20all%20machines.%20I%20deleted%20this%20profile%20from%20the%20environment%2C%20upon%20which%20a%20large%20number%20of%20users%20started%20to%20get%20a%20restart%20notice.%20They%20were%20unable%20to%20defer%20this%20restart%20and%20their%20machines%20were%20going%20to%20restart%20in%20the%20next%2010%20minutes.%20I'm%20trying%20to%20find%20out%20if%20removing%20a%20profile%20would%20cause%20this.%20The%20only%20thing%20I%20could%20find%20was%20that%20pushing%20a%20change%20to%20app%20control%20would%20cause%20a%20restart%20of%20the%20machine%2C%20but%20only%20if%20a%20change%20was%20occurring.%20There%20was%20no%20change%20pushed%20during%20today's%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELink%20to%20the%20above-mentioned%20document%20here%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fendpoint-protection-windows-10%23microsoft-defender-application-control%22%20rel%3D%22noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fendpoint-protection-windows-10%23microsoft-defender-application-control%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20oddity%20to%20note%20here%20is%20not%20every%20machine%20was%20affected.%20I'm%20still%20gathering%20the%20exact%20numbers%20but%20it%20appears%20to%20be%20a%20large%20number%20of%20the%20Intune%20joined%20machines.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1736334%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1737833%22%20slang%3D%22en-US%22%3ERe%3A%20Could%20Intune%20be%20the%20cause%20of%20unwanted%20restarts%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1737833%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F503735%22%20target%3D%22_blank%22%3E%40Moe_Kinani%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20saw%20that%20in%20the%20documentation%20as%20well.%20What%20confuses%20me%20is%20that%20there%20was%20no%20change.%20The%20profile%20had%20already%20been%20applied%20to%20devices%20and%20was%20active.%20The%20documentation%20also%20states%20that%20the%20policy%20for%20app%20control%20will%20not%20be%20changed%20unless%20switching%20from%20audit-only%20to%20enforced%20or%20vice%20versa.%20Neither%20of%20these%20happened%2C%20this%20was%20only%20a%20removal%20of%20the%20profile.%20To%20also%20confirm%2C%20yes%2C%20devices%20are%20still%20auditing%20apps%20as%20they%20were%20doing%20prior%20so%20this%20has%20not%20changed%20functionality%20either%2C%20which%20is%20to%20be%20expected.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1737798%22%20slang%3D%22en-US%22%3ERe%3A%20Could%20Intune%20be%20the%20cause%20of%20unwanted%20restarts%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1737798%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F816883%22%20target%3D%22_blank%22%3E%40wesblackwell1080%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EApplication%20control%20settings%20usually%20need%20reboot%20to%20take%20effect%2C%20whether%20audit%20or%20enforce%20mode.%20I%20hear%20you%20that%20you%20just%20upgraded%20the%20profile%2C%20but%20I%20expect%20that%20change%20was%20the%20reason%20for%20reboot.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMoe%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

I have an Intune environment that I am currently working on pushing out an endpoint protection profile. There was an older endpoint protection profile that only pushed app control as "audit-only". This profile had finished updating all machines. I deleted this profile from the environment, upon which a large number of users started to get a restart notice. They were unable to defer this restart and their machines were going to restart in the next 10 minutes. I'm trying to find out if removing a profile would cause this. The only thing I could find was that pushing a change to app control would cause a restart of the machine, but only if a change was occurring. There was no change pushed during today's work.

 

Link to the above-mentioned document here: https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-protection-windows-10#microsoft-defende...

 

Another oddity to note here is not every machine was affected. I'm still gathering the exact numbers but it appears to be a large number of the Intune joined machines.

2 Replies
Highlighted
Best Response confirmed by wesblackwell1080 (Occasional Visitor)
Solution

@wesblackwell1080 

 

Application control settings usually need reboot to take effect, whether audit or enforce mode. I hear you that you just upgraded the profile, but I expect that change was the reason for reboot.

 

Moe

 

 

Highlighted

@Moe_Kinani 

 

I saw that in the documentation as well. What confuses me is that there was no change. The profile had already been applied to devices and was active. The documentation also states that the policy for app control will not be changed unless switching from audit-only to enforced or vice versa. Neither of these happened, this was only a removal of the profile. To also confirm, yes, devices are still auditing apps as they were doing prior so this has not changed functionality either, which is to be expected.