Comprehensive Guide to Managing Windows 11 Reboots with Intune
Unplanned restarts can derail productivity and frustrate users. Microsoft Intune offers built-in controls, scripting options, and integration points to keep your Windows 11 devices patched and rebooted on your schedule. This guide walks through each approach in detail, from native settings to custom automation and third-party tools.
1. Leverage Intune’s Native Restart Controls
A. Update Rings and Restart Deadlines
Create Windows Update rings to group devices and define how and when updates install:
- In the Intune admin center, go to Devices > Windows > Update rings for Windows 10 and later.
- Click Create profile and assign it a name (for example, “Nightly Updates”).
- Under Update settings, configure deferral periods for quality and feature updates.
- Enable Automatic restart notification and set restart deadline—the maximum days after installation before the device must reboot.
- Specify active hours when restarts are suppressed (for example, 8 AM–6 PM).
- Assign the ring to Azure AD device groups.
This ensures updates install outside work hours and forces reboots only after your deadline.
B. Settings Catalog for Fine-Grained Policies
Use the Settings Catalog to expose granular Windows Update and reboot options:
- Navigate to Devices > Configuration profiles and create a profile using the Settings catalog.
- Under Templates, choose Windows 10 and later.
- Add settings in Endpoint protection > Update:
- Configure auto-restart notification: Control how long notifications display.
- Specify deadline before auto-restart: Set a grace period after the deadline passes.
- Configure active hours start/end: Define daily windows to block reboots.
- Assign the policy to the same device groups.
These registry-backed settings let you fine-tune warning intervals, deferral lengths, and active-hours behavior beyond what update rings alone provide.
2. Create Maintenance Windows with Scripts
Intune lacks true maintenance window objects, but you can simulate them with scheduled scripts.
Scheduled Reboot Script
Deploy a PowerShell script that only reboots during off-peak hours:
powershell# RebootWindow.ps1
$localTime = Get-Date
$startWindow = Get-Date -Hour 2 -Minute 0 -Second 0
$endWindow = Get-Date -Hour 5 -Minute 0 -Second 0
if ($localTime -ge $startWindow -and $localTime -le $endWindow) {
Restart-Computer -Force
} else {
Write-Host "Outside reboot window. No action taken."
}
- In Intune, go to Devices > Scripts > Add > Windows 10 and later.
- Upload
RebootWindow.ps1. - Set Run this script using the logged on credentials to No.
- Schedule it to run daily—devices will only reboot between 2 AM and 5 AM.
This ensures reboots occur predictably every night without interrupting daytime users.
3. Enhance User Experience with Notifications
Unexpected restarts can frustrate users. Combine scripts or Win32 apps with toast notifications:
powershell# NotifyReboot.ps1
[Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType = WindowsRuntime] | Out-Null
$template = [Windows.UI.Notifications.ToastNotificationManager]::GetTemplateContent([Windows.UI.Notifications.ToastTemplateType]::ToastText02)
$template.GetElementsByTagName("text")[0].AppendChild($template.CreateTextNode("Scheduled Reboot"))
$template.GetElementsByTagName("text")[1].AppendChild($template.CreateTextNode("Your PC will restart in 30 minutes. Save your work."))
$xml = New-Object Windows.Data.Xml.Dom.XmlDocument
$xml.LoadXml($template.GetXml())
$toast = [Windows.UI.Notifications.ToastNotification]::new($xml)
$notifier = [Windows.UI.Notifications.ToastNotificationManager]::CreateToastNotifier("IntuneReboot")
$notifier.Show($toast)
Deploy this as a pre-reboot notification script to run 30 minutes before your reboot window. It pops up a clear warning so users have time to save documents.
4. Integrate Third-Party Tools for Advanced Scheduling
When you need more features than Intune provides:
Patch My PC
- Seamlessly updates Microsoft and third-party apps.
- Offers built-in reboot schedules, user deferral options, and custom maintenance windows.
- Integrates directly with Intune via its connector.
ManageEngine Patch Manager Plus
- Leverages Intune’s APIs to deploy patches.
- Defines multiple maintenance window templates with blackout dates.
- Provides detailed compliance reporting and audit logs.
Co-Management with Configuration Manager
If you run Intune in co-management mode with SCCM:
- Use SCCM’s maintenance windows feature for precise control over all workloads, including reboots.
- SCCM can orchestrate on-premises updates, then push policies to Intune clients.
These tools layer on top of Intune to deliver enterprise-grade scheduling, user prompts, and reporting.
5. Monitor and Report on Reboots
Visibility is key to refining your strategy:
- Intune Reports: Under Reports > Windows updates, review devices pending reboot and compliance status.
- Log Analytics: Connect your devices to Azure Monitor. Query the Update and Heartbeat tables to see reboot times and failures:
textUpdate
| where DeviceId in("DeviceA","DeviceB")
| project TimeGenerated, DeviceName, Status
- Script Logs: In your PowerShell scripts, write status messages to local log files or Event Viewer using
Write-EventLog.
Tracking these metrics helps adjust active hours, deadlines, and maintenance windows to minimize disruptions.
By combining Intune’s built-in update rings and settings catalog, custom PowerShell scheduling scripts, user-friendly notifications, and third-party patching solutions, you can fully control when Windows 11 devices reboot. This layered approach ensures patches install on time, systems stay secure, and users aren’t caught off guard.
