WPSecure

Enterprise Computer Reboot Reminder For Organizations – Microsoft Intune

Getting Users to restart their computers is challenging because it is not their priority. IT teams are caught between a rock and a hard place with one of the two responses below.

  • Force computers to reboot – This leads to an angry user base with lost unsaved documents.
  • Unhealthy Windows devices that have not rebooted for days, months, and, yes, sometimes years.

There is another option wherein we display ‘Pending Reboot‘ reminders using Desktop backgrounds, lock screen images, and Video screensavers until the device’s status changes from “Pending Reboot” to “Compliant“. Automatically return to a regular Windows Personalization Package when the Pending Reboot status clears after a device restart. The principle here is this: If you say it loudly and often enough, it will be heard and perceived. 

Listed below are a few guidelines. Please read them carefully.

  • Designate a Windows Personalization Package as a ‘Pending Reboot’ messaging package (Discussed later in this article). 
  • Ensure the Desktop backgrounds, lockscreen images, and Video screensavers fit Portrait and Landscape screens.
  • Image and Video pixel quality and aspect ratio maintenance are crucial for message quality.
  • Ensure the images and videos are attractive, pleasing to the eye, and informative.
  • Ensure the messaging stays on point. 
  • Remind the User about their obligations to the security of their assigned Windows device.
  • Lock screen images can include your organizational legal notice disclaimer and a note at the top reminding the User to restart the device.
  • On the other hand, the message on the Desktop background could be a bit more forcefully stated. A skillfully crafted imagery can be compelling.
  • The video screensaver leaves an indelible subconscious longing to comply: An invitation to restart the computer regularly.
  • Encourage the User to call your helpdesk services if the ‘Pending Reboot’ messages do not clear after a restart. Devices that have failed security update installs remain in a state of ‘Pending Reboot.’ This allows your organization to identify and fix Windows update issues quickly and efficiently.

Now that the stage has been set. There are two components to this article.

  1. The detection and remediation script in Microsoft Intune.
  2. A WPSecure Personalization Package containing Desktop backgrounds, Lockscreen images, and a video Screensaver. Click here to learn more.

The detection and remediation script in Microsoft Intune.

Compliance and remediation scripts in Microsoft Intune or SCCM can help identify and set the ‘pendingreboot‘ flag required to trigger the designated personalization package (explained later in this article).

Your detection script can look similar to the Powershell script below. It identifies a ‘Pending Reboot’ scenario.

				
					if (!(Get-Module -ListAvailable -Name PendingReboot)) {
    # Install Nuget Provider.
    Install-PackageProvider -Name Nuget -Force
    # Install Nuget Pending Reboot Module.
    Install-Module -Name PendingReboot -Force
}
if (Get-Module -ListAvailable -Name PendingReboot -ErrorAction SilentlyContinue) {
    # Check pending reboot.
    # Use parameters -SkipConfigurationManagerClientCheck or -SkipPendingFileRenameOperationsCheck depending on your requirements
    # https://www.powershellgallery.com/packages/PendingReboot/0.9.0.6
    # https://github.com/bcwilhite/PendingReboot/
    if((Test-PendingReboot -ErrorAction SilentlyContinue).IsRebootPending) {
        # Reboot is pending
        exit 1
    } else {
        # Reboot is not pending
        Remove-ItemProperty -Path HKLM:\SOFTWARE\WPSecure -Name pendingreboot -Force -ErrorAction SilentlyContinue
        exit 0
    }
} else {
    # Module was not installed or is not available. How would you like to handle this.
    # If exit value is 1 Pending Reboot flag will be set. If exit value is 0 Pending Reboot value will not be set.
    exit 0
}
				
			

The remediation script below sets the ‘pendingreboot‘ flag required to trigger the designated personalization package (explained later in this article).

				
					Set-ItemProperty -Path HKLM:\SOFTWARE\WPSecure -Name pendingreboot -Type DWord -Value 1 -Force -ErrorAction SilentlyContinue
				
			

Open Microsoft Intune Console. intune.microsoft.com and follow the pictorial instructions below.

wpsecure computer-reboot reminder 1
wpsecure computer-reboot reminder 2
wpsecure computer-reboot reminder 3
wpsecure computer-reboot reminder 4
wpsecure computer-reboot reminder 5
wpsecure computer-reboot reminder 6
wpsecure computer-reboot reminder 7

The above setup will create the ‘pendingreboot‘ flag whenever the device requires a reboot (The detection and remediation scripts will run every hour).

Create a Windows Personalization Package

Download the Windows Personalization Packager by clicking on the ‘Download’ button at the top right corner of this website.

Open the Personalization Packager from the start menu after installing the Packager.

Click on the item called “WPSecure Personalization Packager.” Doing so will open the Packager in full-screen mode. Click the button at the bottom to agree to the terms and enter the application.

WPSecure Personalization Packager Main Screen

On the following page, the buttons at the application’s top help you add the following items.

  1. Add one or more Desktop background images for landscape and portrait screens. While you are not required to add images for all possible screen resolutions, the more extensive the collection of image sizes is, the better the user experience will be.
  2. Add two Lock screen images, one for Landscape and optionally another for Portrait Screens.
  3. Import a “New message” Signature and a “Reply message” Outlook signature. (Outlook Signatures module is disabled for personalization packages marked as ‘Pending Reboot’ packages – explained later in this article)
  4. Add MP4 video file for Windows Screensaver. You can add a video for Landscape screens and a video for Portrait screens.

Refer to the documentation for more information.

Microsoft Outlook Signature Deployment Tool 1

After adding all the necessary Personalization items, the application window will look similar to the one below. You can preview the items by clicking on them.

The image below is used for demonstration purposes. We recommend ‘Pending Reboot’ packages that include more forceful and compelling colors and text.

wpsecure main window-showing preview

After adding the necessary Personalization items, click the “Create Personalization Package” button to start the package creation process.

windows personalization packager intune 2

After adding the necessary Personalization items, click the “Create Personalization Package” button to start the package creation process.

Use this button to export the personalization package to a folder. A personalization package is a collection of all the settings and files you have imported or created for your desktop backgrounds, Outlook signatures, and screensavers.  The selected destination folder has to be empty. The personalization package creation process creates two folders: general_install and intune_install.

The general_install folder contains installation files for deployment via enterprise software management tools like Microsoft Endpoint Configuration Manager (SCCM). Run the ‘wpsecure-install.exe’ to install the personalization package. More details regarding the enterprise installation and uninstallation process are in the ‘documentation.html’ file.

The intune_install folder contains the ‘wpsecure-install.intunewin’ file to be uploaded to the Microsoft Endpoint Device Management portal (Intune). The command-line for this is identical to the general install.

The process also creates a documentation.html file that provides all the information required to deploy the personalization package, like package version, install command line, uninstall command line, and detection methods.

This article will only discuss deployment via Microsoft Intune. Open the “intune_install” folder and 

Open Microsoft Intune Admin Center and click on “Apps” and then choose “Windows Apps”.

Microsoft Intune Deployment - 1
Microsoft Intune Deployment - 3
Microsoft Intune Deployment - 4

Use the “+ Add” button to create the Intune Win32 App deployment. Follow the images below to get through the first steps of the setup process.

Microsoft Intune App Deployment 7
Microsoft Intune App Deployment 8

The documentation.html file provides all the information required to deploy the personalization package, like package version, install command line, uninstall command line, and detection methods.

Microsoft Intune App Deployment 9
Microsoft Intune App Deployment 10
Microsoft Intune App Deployment 11

Using the above information, fill out the Intune Win32 application setup form.

Microsoft Intune App Deployment 12
Microsoft Intune App Deployment 13
Microsoft Intune App Deployment 14
Microsoft Intune App Deployment 16
Microsoft Intune App Deployment 17

Click Next and complete the process. Wait for Microsoft Intune to upload and set up your Windows Personalization package.

Designate as a ‘Pending Reboot’ package

The final step is to designate a particular Windows Personalization Package version as the ‘Pending Reboot’ messaging package.

Remember that you can install up to 5 personalization packages on each device.

				
					wpsecure-set.exe -prpv 20.24.0623.1319
				
			

After a restart, the WPSecure Personalization engine clears the ‘Pending Reboot’ flag, returning to display other Windows Personalization Packages deployed to the device. The cycle continues, keeping your Windows 10 and 11 devices compliant and healthy.

Click here to read more about the Windows Personalization Packager.

Further documentation ==> Click here.