locked
Could Intune be the cause of unwanted restarts? RRS feed

  • Question

  • I have an Intune environment that I am currently working on pushing out an endpoint protection profile. There was an older endpoint protection profile that only pushed app control as "audit-only". This profile had finished updating all machines. I deleted this profile from the environment, upon which a large number of users started to get a restart notice. They were unable to defer this restart and their machines were going to restart in the next 10 minutes. I'm trying to find out if removing a profile would cause this. The only thing I could find was that pushing a change to app control would cause a restart of the machine, but only if a change was occurring. There was no change pushed during today's work.

    Link to the above-mentioned document here: https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-application-control

    Another oddity to note here is not every machine was affected. I'm still gathering the exact numbers but it appears to be a large number of the Intune joined machines.

    Thursday, October 1, 2020 6:21 PM

Answers

  • I was able to set up a lab, run several different tests, and confirm an answer. In the Intune Endpoint Protection profile document (https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-application-control), there is a footnote that states that deploying the policy will cause a reboot. There is no mention that a deletion of the profile will also do the same. I have been able to confirm that this is the case, if the profile is deleted, all assigned machines will be forced to reboot. This is further stated under the Applocker csp doc (https://docs.microsoft.com/en-us/windows/client-management/mdm/applocker-csp).

    The AppLocker CSP will schedule a reboot when a policy is applied or a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI.

    The event log for this reboot is a generic system event ID 1074:

    The process C:\Windows\System32\RuntimeBroker.exe ([computername]) has initiated the restart of computer [computername] on behalf of user [domain\user] for the following reason: Other (Unplanned) Reason Code: 0x0 Shutdown Type: restart Comment:

    There is also an event logged under the code integrity event section for both the removal and any subsequent start-up of app control:

    Removal

    code integrity will disable whql driver enforcement for this boot session. settings 0x0

    Addition

    Refreshed and activated Code Integrity policy {a244370e-44c9-4c06-b551-f6016e563076} DefaultWindowsAudit, id 031017. Status 0x0

    I'll submit a change to the MSFT doc for endpoint protection to reflect this as well. Thank you for your time.

    Friday, October 2, 2020 4:01 PM