Delay Windows Update pending reboot with toast notification

Who does not know the situation when you come back from vacation and the computer wants to reboot after an update installation. However, it is extremely important from a security point of view that the system is always up to date. How about a solution that updates are always installed directly, but gives the user a little more time to read emails and reboot the device only when it fits for him. Another example is when a measurement or other process is running on the computer for several hours or days. Also here it would be really bad if a reboot interrupts this measurement. In this blog I show how you can delay the reboot after an update installation but still remind the user of the reboot and give him the chance to do it when it suits him.

Modify the Update Ring

  • Open the MEM Portal
  • Navigate to Devices -> Update rings for Windows 10 and later
  • Create or open an existing update ring
  • Click Properties
  • Click Edit
  • Grace period: Here you can define the time how long you want to postpone the reboot after an update installation. It is possible to select a period between 0 and 7 days. If this setting is set, it also makes sense to set the setting Auto reboot before deadline to No.
  • Click Review + save

Create Notification for the next reboot

I have written a script which checks if there is a reboot pending and if this is the case it brings up a toast notification. This includes a Detection script which makes the check for a pending reboot and a Remediation script which brings the toast notification message. You can find these two scripts in my Git repository.

  • Download the scripts and open the Get-PendingRebootNotificationRemediation.ps1 to customize it
  • First you need an Image for the toast header. To add this image into the powershell script you have to encode this to base64. I use the following tool for the encoding:  https://www.base64-image.de/
    When the picture is encode you can past the base64 string into the $tostImageBase64 Variable in the script
  • Next we have to adapt the following variables with the content you want to show:

Deploy Script via Endpoint Analytics

  •  To deploy this toast menu to the clients, we open the MEM portal and navigate to Reports -> Endpoint analytics -> Proactive remediations
  • Click Create script package
  • Enter a name
  • Click Next
  • Upload the script as detection script and the remediation script
  • Select Yes for Run this script using the logged on credentials
  • Click Next
  • Click Next
  • Assign the Script to a group and click on Daily
  • Change the Schedule to Hourly (You can also select a other schedule like daily) and click apply
  • Click Next
  • Click Create

Conclusion

With this implementation you give the user enough flexibility to finish his work until the pending reboot is executed but you still remind him every hour that he has to execute the reboot as soon as possible. This brings a good mix between flexibility and security compliance. Also, there are many ways to customize this message so that it is either more noticeable or gives the user even more information. One could also further develop the remediation script and include a check whether a program is open on the device, and depending on this automatically trigger the reboot.

Stay healthy, Cheers
Jannik

4 thoughts on “Delay Windows Update pending reboot with toast notification

  1. Hi,

    First of all thanks for your wonderful article .But I have simple question. What’s image size that you are using for your script?
    Also ,

    I want to change font type / color and use UTF8 encoding for variables $tostTitle , $tostHeadline , $tostText , $tostMessage. how can I do that ?

    Lastly , I want to add transparent image behind $tostTexttext? is it possible ?

    thanks in advance,
    Kind regards,

    Like

Leave a Reply to Configuration of Windows Update reboot notifications – Modern Device Management Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s