# Configuration guide: Operating systems - Stability, security, and compliance ## Introduction This library pack will help you monitor and manage various operating systems to ensure their stability, compliance, and performance. This page will guide you through the structure of the content. ## Content list and dependency This library pack contains the following content and dependencies: | Type | Name | Description | Dependencies | | ---------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------ | | [Live dashboards](https://nexthink.gitbook.io/opd/user-guide/live-dashboards) | OS Stability, Compliance, and Security | Helps to monitor and manage various operating systems to ensure their stability, compliance, and performance | | | [Remote actions](https://nexthink.gitbook.io/opd/user-guide/remote-actions) | Get XProtect status | Provides information about the status of the macOS XProtect (macOS built-in antivirus software) automatic update setting on macOS devices. | | | | Get firewall options | Provides information about the status of the macOS firewall on macOS devices. | | | | Get BitLocker information | Returns basic information on BitLocker protection status. | | | | Get encryption information | Gets an APFS file system disk encryption and decryption information in addition to checking whether FileVault is enabled or not. | | | | Get macOS updates and restart information | Gets information about macOS devices - the number of days since the last restart, whether there are pending updates, a list of names of pending updates, and others. | | | | Test pending reboot | Checks if the device is waiting to reboot for an update. | | | | Set firewall options | Configures firewall settings under System Preferences - Security & Privacy - Firewall on macOS devices. | | | | Set XProtect status | Configures the XProtect status under System Preferences - Software Update - Advanced on macOS devices. | | | | Install Windows update | Installs a ‘.msu’ patch on Windows devices. | | | | Invoke Windows update | Restarts Windows Update and BITS services on Windows devices and forces the device to check for updates. | | | | Set auto updates | Configures additional macOS automatic update settings under System Preferences - Software Update - Advanced on macOS devices. | | | | Get Windows Feature update diagnosis | Executes Microsoft tool SetupDiag.exe, that process Windows Feature update log files and returns a list of possible failure reasons or upgrade confirmation. | | | | Enable BitLocker Encryption | Enables BitLocker encryption on the device's system drive. | | | [Custom fields](https://nexthink.gitbook.io/opd/user-guide/administration/content-management/custom-fields-management) | OS targeted quality update version | Defines the target quality update versions of Windows and macOS operating systems. | | | | OS supported version | Determines which Windows and macOS operating system versions, editions, and builds are supported. | | | | OS targeted feature update version | Defines the target feature update versions of Windows operating systems. Typically, this custom field requires version updates every month. | | ## Configuration guide To effectively use this library pack, the content must be installed and configured appropriately. Below are some suggested steps to install and configure the content properly before use. ### **Step 1) Install library pack content** Go to the [Nexthink Library ](https://nexthink.gitbook.io/opd/user-guide/nexthink-library)and install all required content. ### **Step 2) Configure remote actions** Navigate to the [manage remote action](https://nexthink.gitbook.io/opd/user-guide/remote-actions/managing-remote-actions) administration page to review and edit your remote actions. We recommend the following configurations for these remote actions:
NameTriggerSchedule queryParameters to edit
Get XProtect statusScheduled, daily
1 devices
2 | where operating_system.platform == macos
Get firewall optionsScheduled, daily
1 devices
2 | where operating_system.platform == macos
Get BitLocker informationScheduled, daily
1 devices
2 | where operating_system.platform == windows and operating_system.name != "*server*"
Get encryption informationScheduled, daily
1 devices
2 | where operating_system.platform == macos
Get macOS updates and restart informationScheduled, daily
1 devices
2 | where operating_system.platform == macos
Test pending rebootScheduled, daily
1 devices
2 | where operating_system.platform == windows and operating_system.name != "*server*"
Set firewall optionsManual, can be triggered on multiple devices
  • Enable or disable macOS firewall status
  • Allow or refuse built-in software to receive incoming connections
  • Allow or refuse downloaded signed software to provide services accessed form the network
  • Allow or reject ICMP connections to the computer
Set XProtect statusManual, can be triggered on multiple devices
  • Enable or disable macOS XProtect status on the device
Install Windows updateManual, can be triggered on multiple devices
  • Provide URL or UNC path to the update (.msu) file
Invoke Windows updateManual, can be triggered on multiple devices
Set auto updatesManual, can be triggered on multiple devices
  • Enable or disable macOS 'Check for updates' setting.
  • Enable or disable macOS 'Download new updates when available' setting.
  • Enable or disable 'Install macOS Updates' setting.
  • Enable or disable 'Install app updates from the App store' setting.
Get Windows Feature update diagnosisManual, can be triggered on multiple devices
  • Configure the absolute path to the location of SetupDiag.exe tool on the target device. For example "C:\temp\SetupDiag.exe"
Enable BitLocker EncryptionManual, can be triggered on multiple devices
  • Enable or disable the 'Enforce AD backup' setting.
  • Define the drive encryption type used by BitLocker.
  • Define the encryption method used by BitLocker: 'Aes128', 'Aes256', 'XtsAes128' or 'XtsAes256'
### **Step 3) Configure custom fields** Navigate to the [manage custom fields ](https://nexthink.gitbook.io/opd/user-guide/administration/content-management/custom-fields-management)administration page to review and edit your custom fields. {% hint style="info" %} Operating system versions in the custom fields below are subject to change due to regular patches released by vendors and Apple and Microsoft support policies. Typically, these versions need to be updated in the custom fields once a month to ensure you have the most current patch versions. {% endhint %} We recommend the following configurations for these custom fields:
NameNQL IDRule nameObjectNQL query
OS targeted quality update versionos_targeted_quality_update_versionmacos_sonomadevice
1 devices
2 | where operating_system.platform == macos
3 | where operating_system.name == "*macOS Sonoma 14.6*"
macos_venturadevice
1 devices
2 | where operating_system.platform == macos
3 | where operating_system.name == "*macOS Ventura 13.6.8*"
macos_montereydevice
1 devices
2 | where operating_system.platform == macos
3 | where operating_system.name == "*macOS Monterey 12.7.6*"
windows_10_quality_updatedevice
1 devices
2 | where operating_system.platform == windows and operating_system.name == "*windows 10*"
3 | where (operating_system.name == "*22h2*" and operating_system.build >= v19045.4717) or (operating_system.name == "*21h2*" and operating_system.build >= v19044.4651)
windows_11_quality_updatedevice
1 devices
2 | where operating_system.platform == windows and operating_system.name == "*windows 11*"
3 | where (operating_system.name == "*22H2*" and operating_system.build >= v22621.3958) or (operating_system.name == "*23H2*" and operating_system.build >= v22631.3958)
OS targeted feature update versionos_targeted_feature_update_versionwindows_10_feature_updatedevice
1 devices
2 | where operating_system.platform == windows and operating_system.name == "*windows 10*"
3 | where (operating_system.name =="Windows 10*22H2*" or (operating_system.name =="Windows 10*21H2*" and device.operating_system.name == "*ltsc*"))
windows_11_feature_updatedevice
1 devices
2 | where operating_system.platform == windows and operating_system.name == "*windows 11*"
3 | where operating_system.name == "*23H2*"
OS supported versionos_supported_versionmacos_unsupported_versiondevice
1 devices
2 | where operating_system.platform == macos
3 | where operating_system.name !in ["*Ventura*","*Monterey*","*Sonoma*"]
macos_supported_versiondevice
1 devices
2 | where operating_system.platform == macos
3 | where operating_system.name in ["*Ventura*","*Monterey*","*Sonoma*"]
windows_unsupported_versiondevice
1 devices
2 | where operating_system.platform == windows and operating_system.name != "*server*"
3 | where (operating_system.name !in ["*enterprise*", "*education*", "*ltsc*", "*ltsb*"] and operating_system.name in ["*windows 11*"] and operating_system.build < v22621.521) or (operating_system.name !in ["*enterprise*", "*education*", "*ltsc*", "*ltsb*"] and operating_system.build < v19045.0) or (operating_system.name !in ["*ltsc*", "*ltsb*"] and operating_system.name in ["*pro*", "*pro*"] and operating_system.build < v19045.2130) or (operating_system.name in ["*enterprise*", "*education*"] and operating_system.name !in [ "*ltsc*", "*ltsb*"] and operating_system.build < v19044.0) or (operating_system.name in [ "*ltsc*", "*ltsb*"] and operating_system.build < v19044.0) or operating_system.name == "*Windows 7*" or operating_system.name == "*Windows 8*" or operating_system.build < v7601.0
windows_supported_versiondevice
1 devices
2 | where operating_system.platform == windows and operating_system.name != "*server*"
3 | where (operating_system.name !in ["*ltsc*", "*ltsb*"] and operating_system.name in ["*enterprise*", "*education*"] and operating_system.name == "*windows 11*" and operating_system.build > v22000.194) or (operating_system.name !in ["*ltsc*", "*ltsb*", "*enterprise*", "*education*"] and operating_system.name == "*windows 11*" and operating_system.build > v22621.521) or (operating_system.name !in ["*ltsc*", "*ltsb*"] and operating_system.name == "*windows 10*" and operating_system.name in ["*enterprise*", "*education*"] and operating_system.build > v19044.1288) or (operating_system.name !in ["*ltsc*", "*ltsb*"] and operating_system.name in ["*pro*", "*pro*"] and operating_system.name == "windows 10*" and operating_system.build > v19045.0) or (operating_system.name in ["*ltsc*", "*ltsb*"] and operating_system.build > v19044.0)
## Usage guide Your content is now configured and ready to be used. For usage overview and recommendations, you can visit the usage guide: [Usage guide: Operating systems - Stability, security, and compliance](/platform/~/changes/Sh4xqs4GDClkDKT9Hvux/library-packs/operating-systems/operating-systems-stability-security-and-compliance/operating-systems-stability-security-and-compliance-usage-guide.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.nexthink.com/platform/~/changes/Sh4xqs4GDClkDKT9Hvux/library-packs/operating-systems/operating-systems-stability-security-and-compliance/operating-systems-stability-security-and-compliance-configuration-guide.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.