Configuration guide: Windows OS compliance

The configuration options on this page are only accessible to administrators.

Refer to the Usage guide: Windows OS compliance to use library content as a standard user.

This library pack will help you monitor and manage various operating systems to ensure their stability, compliance, and performance. This page will guide you through the structure of the content.

Included content and dependencies

This library pack contains the following content and dependencies:

Type

Name

Description

Dependencies

Live dashboards

Windows OS compliance

Helps to monitor and manage various Windows operating system versions to ensure their stability, compliance, and performance

N/A

Remote actions

Get BitLocker information

Returns basic information on BitLocker protection status.

Required to populate specific dashboard widgets.

Remote actions

Test pending reboot

Checks if the device is waiting to reboot for an update.

Required to populate specific dashboard widgets.

Remote actions

Install Windows update

Installs a ‘.msu’ patch on Windows devices.

N/A

Remote actions

Invoke Windows update

Restarts Windows Update and BITS services on Windows devices and forces the device to check for updates.

N/A

Remote actions

Get Windows Feature update diagnosis

Executes Microsoft tool SetupDiag.exe, that process Windows Feature update log files and returns a list of possible failure reasons or upgrade confirmation.

N/A

Remote actions

Enable BitLocker Encryption

Enables BitLocker encryption on the device's system drive.

N/A

Custom fields

OS targeted quality update version

Defines the target quality update versions of Windows operating systems.

Required to populate specific dashboard widgets.

Custom fields

OS supported version

Determines which Windows operating system versions, editions, and builds are supported.

Required to populate specific dashboard widgets.

Custom fields

OS targeted feature update version

Defines the target feature update versions of Windows operating systems. Typically, this custom field requires version updates every month.

Required to populate specific dashboard widgets.

Configuring Windows OS Compliance

Adapt these suggested configuration steps to edit and customize content according to your organizational needs.

To effectively use this library pack, the content must be installed and configured appropriately. Below are some suggested steps to install and configure the content properly before use.

Follow these steps to install and configure content:

Before configuration - Install library pack content from Nexthink Library
Step 1 - Configure remote actions
Step 2 - Configure custom fields

Step 1 - Configure remote actions

Navigate to the manage remote action administration page to review and edit your remote actions.

Nexthink recommends the following configurations for these remote actions:

Name

Trigger

Schedule query

Parameters to edit

Get BitLocker information

Scheduled, daily

Code

1 devices
2 | where operating_system.platform == windows and operating_system.name != "*server*"

Test pending reboot

Scheduled, daily

Code

1 devices
2 | where operating_system.platform == windows and operating_system.name != "*server*"

Install Windows update

Manual, can be triggered on multiple devices

Provide URL or UNC path to the update (.msu) file

Invoke Windows update

Manual, can be triggered on multiple devices

Get Windows Feature update diagnosis

Manual, can be triggered on multiple devices

Configure the absolute path to the location of SetupDiag.exe tool on the target device. For example "C:\temp\SetupDiag.exe"

Enable BitLocker Encryption

Manual, can be triggered on multiple devices

Enable or disable the 'Enforce AD backup' setting.
Define the drive encryption type used by BitLocker.
Define the encryption method used by BitLocker: 'Aes128', 'Aes256', 'XtsAes128' or 'XtsAes256'

Step 2 - Configure custom fields

Navigate to the manage custom fields administration page to review and edit your custom fields.

Operating system versions in the custom fields below are subject to change due to regular patches released by vendors and Apple and Microsoft support policies.

Typically, these versions need to be updated in the custom fields once a month to ensure you have the most current patch versions.

Nexthink recommends the following configurations for these custom fields:

Name

NQL ID

Rule name

Object

NQL query

OS targeted quality update version

os_targeted_quality_update_version

windows_10_quality_update

device

Code

1 devices
2 | where operating_system.platform == windows and operating_system.name == "*windows 10*"
3 | where (operating_system.name == "*22h2*" and operating_system.build >= v19045.4717) or (operating_system.name == "*21h2*" and operating_system.build >= v19044.4651)

windows_11_quality_update

device

1 devices
2 | where operating_system.platform == windows and operating_system.name == "*windows 11*"
3 | where (operating_system.name == "*22H2*" and operating_system.build >= v22621.3958) or (operating_system.name == "*23H2*" and operating_system.build >= v22631.3958)

OS targeted feature update version

os_targeted_feature_update_version

windows_10_feature_update

device

Code

1 devices
2 | where operating_system.platform == windows and operating_system.name == "*windows 10*"
3 | where (operating_system.name =="Windows 10*22H2*" or (operating_system.name =="Windows 10*21H2*" and device.operating_system.name == "*ltsc*"))

windows_11_feature_update

device

Code

1 devices
2 | where operating_system.platform == windows and operating_system.name == "*windows 11*"
3 | where operating_system.name == "*23H2*"

OS supported version

os_supported_version

windows_unsupported_version

device

Code

1 devices
2 | where operating_system.platform == windows and operating_system.name != "*server*"
3 | where (operating_system.name !in ["*enterprise*", "*education*", "*ltsc*", "*ltsb*"] and operating_system.name in ["*windows 11*"] and operating_system.build < v22621.521) or (operating_system.name !in ["*enterprise*", "*education*", "*ltsc*", "*ltsb*"] and operating_system.build < v19045.0) or (operating_system.name !in ["*ltsc*", "*ltsb*"] and operating_system.name in ["*pro*", "*pro*"] and operating_system.build < v19045.2130) or (operating_system.name in ["*enterprise*", "*education*"] and operating_system.name !in [ "*ltsc*", "*ltsb*"] and operating_system.build < v19044.0) or (operating_system.name in [ "*ltsc*", "*ltsb*"] and operating_system.build < v19044.0) or operating_system.name == "*Windows 7*" or operating_system.name == "*Windows 8*" or operating_system.build < v7601.0

windows_supported_version

device

Code

1 devices
2 | where operating_system.platform == windows and operating_system.name != "*server*"
3 | where (operating_system.name !in ["*ltsc*", "*ltsb*"] and operating_system.name in ["*enterprise*", "*education*"] and operating_system.name == "*windows 11*" and operating_system.build > v22000.194) or (operating_system.name !in ["*ltsc*", "*ltsb*", "*enterprise*", "*education*"] and operating_system.name == "*windows 11*" and operating_system.build > v22621.521) or (operating_system.name !in ["*ltsc*", "*ltsb*"] and operating_system.name == "*windows 10*" and operating_system.name in ["*enterprise*", "*education*"] and operating_system.build > v19044.1288) or (operating_system.name !in ["*ltsc*", "*ltsb*"] and operating_system.name in ["*pro*", "*pro*"] and operating_system.name == "windows 10*" and operating_system.build > v19045.0) or (operating_system.name in ["*ltsc*", "*ltsb*"] and operating_system.build > v19044.0)