For pending file rename operations analysis

SLB 2022-05-12 15:28:20 UTC #21

You need substrings and that will avoid the singular expression refers to a non-unique object error

SLB 2022-05-12 15:29:30 UTC #22

Ninja’d by @JasonWalker

tarwaniv 2022-05-12 15:30:00 UTC #23

Ammended, ty Jason!!

tarwaniv 2022-05-12 15:34:25 UTC #24

Done, thanks a lot!! I think BigFix.me should also be amended.
https://bigfix.me/analysis/details/2998574

JasonWalker 2022-05-12 16:06:08 UTC #25

The analysis at that link actually looks correct to me, just a different method to get the same result. The content at BigFix.me is community-sourced, you’d need to comment on the analysis there to ask the original poster to update their version of the analysis.

Mike 2022-05-16 09:57:21 UTC #26

Here is a slightly more comprehensive single property we have deployed for this purpose. It pulls back the reason(s) as well as details (when applicable) for the following typical pending restart reasons:

Component Based Servicing
Windows Update Auto Update
Domain Join
Pending Computer Rename
Pending File Rename Operations

I’m sure Windows is hiding a few more flags but this appears to cover all of the cases we have run across in our environment. If anyone wants to build out the non-windows portion (or knows of a Windows case this doesn’t cover)…

if (pending restart | false) then (if (windows of operating system) then ((("Component Based Servicing: True") of keys "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending" of it; ("Windows Update Auto Update: " & (name of it as string | "")) of values of keys "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired" of it; ("Domain Join: " & (name of it as string | "")) of values whose (name of it = "JoinDomain" or name of it = "AvoidSpnSet") of keys "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon" of it; ("Pending Computer Rename: " & (item 0 of it as string | "") & " to " & (item 1 of it as string | "")) of (values "ComputerName" of keys "ActiveComputerName" of it, values "ComputerName" of keys "ComputerName" of it) whose (item 0 of it != item 1 of it) of keys "HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\" of it; ("Pending File Rename Operations: " & (it as string | "")) of (substrings separated by "%00%00" of (it as string)) whose (it as string != "" and it as string != "%00") of values whose (name of it = "PendingFileRenameOperations") of keys "HKLM\System\CurrentControlSet\Control\Session Manager" of it; (("BigFix Action Registered: " & (it as string | "")) of pending restart names)) of registry) else (if (exists pending restart names) then (("BigFix Action Registered: " & (it as string | "")) of pending restart names) else "Other Reason")) else "Not Pending Restart"