Identifying Windows Computers with Pending Reboot Status Using PowerShell
Windows systems that have received patches or updates but not restarted remain in a 'pending reboot' state, which can cause subsequent update failures, policy misapplication, and security exposure. PowerShell scripts can query specific registry keys (Component Based Servicing, Session Manager, Windows Update) to identify these systems across the domain. Results enable patch management teams to prioritise and enforce reboots within compliance windows.
Indicators
- Computer has received a patch or security update but has not been restarted to complete installation
- Users repeatedly defer or postpone required reboot prompts after update installation
- Pending reboot registry keys are present on the system indicating restart is required
- Subsequent Windows Update installations fail with errors referencing pending operations
- Group Policy or Intune compliance policies report drift on systems awaiting reboot
Likely causes
- Windows Update or security patches installed that require a reboot to complete file replacement or kernel-level changes
- Users or automated processes deferring or dismissing reboot prompts indefinitely
- Component-Based Servicing (CBS) or DISM operations leaving a pending reboot flag
- Configuration Manager (SCCM/MECM) or WSUS deployments not enforcing mandatory reboot deadlines
- PendingFileRenameOperations registry value populated by software installations or updates
Diagnostic steps
-
Identify the registry locations that indicate a pending reboot. Query the following keys: - HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending - HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations - HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequiredUnderstand which registry keys must be checked to determine if a reboot is pending before writing or running any script.
-
Run a local test on a single machine using PowerShell: $rebootPending = Test-Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending' $rebootRequired = Test-Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired' $pendingFileRename = (Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager' -Name PendingFileRenameOperations -ErrorAction SilentlyContinue).PendingFileRenameOperations if ($rebootPending -or $rebootRequired -or $pendingFileRename) { Write-Output 'Reboot Pending' }Validate that the detection method works correctly on a known machine (one with a pending reboot and one without) before remote deployment.
-
Scale to the domain using PowerShell remoting: $computers = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name $results = Invoke-Command -ComputerName $computers -ScriptBlock { $cbsReboot = Test-Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending' $wuReboot = Test-Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired' $pfro = (Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager' -Name PendingFileRenameOperations -EA SilentlyContinue).PendingFileRenameOperations [PSCustomObject]@{ ComputerName = $env:COMPUTERNAME CBSRebootPending = $cbsReboot WURebootRequired = $wuReboot PendingFileRename = [bool]$pfro } } -ErrorAction SilentlyContinueQuery all domain computers to produce a comprehensive list of systems in a pending reboot state.
-
Filter and export results to CSV: $results | Where-Object { $_.CBSRebootPending -or $_.WURebootRequired -or $_.PendingFileRename } | Export-Csv -Path 'C:\Reports\PendingReboots.csv' -NoTypeInformationProduce actionable output that operations or patch management teams can use to prioritise and schedule reboots.
Resolution path
- Review the list of computers identified as having a pending reboot and communicate with relevant teams or users to schedule an approved restart window.
- For managed endpoints, use SCCM/MECM, Intune, or Group Policy to enforce a mandatory reboot deadline, ensuring systems restart within an acceptable compliance window.
- For systems where remote administration is permitted, use PowerShell remoting to remotely reboot approved systems: Invoke-Command -ComputerName <ComputerName> -ScriptBlock { Restart-Computer -Force }
- After reboots are completed, re-run the pending reboot detection script to confirm the registry keys have been cleared and no systems remain in a pending state.
- Update patch management reporting to reflect cleared compliance status for rebooted systems.
Prevention
- Configure Group Policy or WSUS/SCCM to enforce mandatory reboot deadlines after patch installation, preventing indefinite deferral by end users.
- Implement a regular scheduled maintenance window (e.g., weekly or monthly) during which all managed endpoints are automatically rebooted as part of the patch cycle.
- Use compliance reporting in SCCM, Intune, or a dedicated patch management tool to alert administrators when a computer has been in a pending reboot state for longer than a defined threshold (e.g., 48 hours).
- Deploy the pending reboot detection script as a scheduled task or monitoring check (e.g., via Zabbix, SCOM, or a custom runbook) to proactively surface non-compliant systems before they cause problems.
Tools
- PowerShell (core scripting and remoting engine for detection and remediation)
- Invoke-Command (PowerShell cmdlet for remote registry and script execution)
- Get-ADComputer (Active Directory module cmdlet to enumerate domain computers)
- WSUS / SCCM / MECM / Intune (patch management platforms for enforcing reboot compliance)
- Registry Editor / reg.exe (manual inspection of pending reboot registry keys)