Learn
Documentation
Support
Community

Configuration guide: Operating systems - Stability, security, and compliance

Introduction

This library pack will help you monitor and manage various operating systems to ensure their stability, compliance, and performance. This page will guide you through the structure of the content.

Content list and dependency

This library pack contains the following content and dependencies:

Type
Name
Description
Dependencies

Live dashboards

OS Stability, Compliance, and Security

Helps to monitor and manage various operating systems to ensure their stability, compliance, and performance

Remote actions

Get XProtect status

Provides information about the status of the macOS XProtect (macOS built-in antivirus software) automatic update setting on macOS devices.

  • Required to populate specific dashboard widgets.

Get firewall options

Provides information about the status of the macOS firewall on macOS devices.

  • Required to populate specific dashboard widgets.

Get BitLocker information

Returns basic information on BitLocker protection status.

  • Required to populate specific dashboard widgets.

Get encryption information

Gets an APFS file system disk encryption and decryption information in addition to checking whether FileVault is enabled or not.

  • Required to populate specific dashboard widgets.

Get macOS updates and restart information

Gets information about macOS devices - the number of days since the last restart, whether there are pending updates, a list of names of pending updates, and others.

  • Required to populate specific dashboard widgets.

Test pending reboot

Checks if the device is waiting to reboot for an update.

  • Required to populate specific dashboard widgets.

Set firewall options

Configures firewall settings under System Preferences - Security & Privacy - Firewall on macOS devices.

Set XProtect status

Configures the XProtect status under System Preferences - Software Update - Advanced on macOS devices.

Install Windows update

Installs a ‘.msu’ patch on Windows devices.

Invoke Windows update

Restarts Windows Update and BITS services on Windows devices and forces the device to check for updates.

Set auto updates

Configures additional macOS automatic update settings under System Preferences - Software Update - Advanced on macOS devices.

Get Windows Feature update diagnosis

Executes Microsoft tool SetupDiag.exe, that process Windows Feature update log files and returns a list of possible failure reasons or upgrade confirmation.

Enable BitLocker Encryption

Enables BitLocker encryption on the device's system drive.

Custom fields

OS targeted quality update version

Defines the target quality update versions of Windows and macOS operating systems.

  • Required to populate specific dashboard widgets.

OS supported version

Determines which Windows and macOS operating system versions, editions, and builds are supported.

  • Required to populate specific dashboard widgets.

OS targeted feature update version

Defines the target feature update versions of Windows operating systems. Typically, this custom field requires version updates every month.

  • Required to populate specific dashboard widgets.

Configuration guide

To effectively use this library pack, the content must be installed and configured appropriately. Below are some suggested steps to install and configure the content properly before use.

Step 1) Install library pack content

Go to the Nexthink Library and install all required content.

Step 2) Configure remote actions

Navigate to the manage remote action administration page to review and edit your remote actions.

We recommend the following configurations for these remote actions:

Name
Trigger
Schedule query
Parameters to edit

Get XProtect status

Scheduled, daily

Code
1 devices
2 | where operating_system.platform == macos

Get firewall options

Scheduled, daily

Code
1 devices
2 | where operating_system.platform == macos

Get BitLocker information

Scheduled, daily

Code
1 devices
2 | where operating_system.platform == windows and operating_system.name != "*server*"

Get encryption information

Scheduled, daily

Code
1 devices
2 | where operating_system.platform == macos

Get macOS updates and restart information

Scheduled, daily

Code
1 devices
2 | where operating_system.platform == macos

Test pending reboot

Scheduled, daily

Code
1 devices
2 | where operating_system.platform == windows and operating_system.name != "*server*"

Set firewall options

Manual, can be triggered on multiple devices

  • Enable or disable macOS firewall status

  • Allow or refuse built-in software to receive incoming connections

  • Allow or refuse downloaded signed software to provide services accessed form the network

  • Allow or reject ICMP connections to the computer

Set XProtect status

Manual, can be triggered on multiple devices

  • Enable or disable macOS XProtect status on the device

Install Windows update

Manual, can be triggered on multiple devices

  • Provide URL or UNC path to the update (.msu) file

Invoke Windows update

Manual, can be triggered on multiple devices

Set auto updates

Manual, can be triggered on multiple devices

  • Enable or disable macOS 'Check for updates' setting.

  • Enable or disable macOS 'Download new updates when available' setting.

  • Enable or disable 'Install macOS Updates' setting.

  • Enable or disable 'Install app updates from the App store' setting.

Get Windows Feature update diagnosis

Manual, can be triggered on multiple devices

  • Configure the absolute path to the location of SetupDiag.exe tool on the target device. For example "C:\temp\SetupDiag.exe"

Enable BitLocker Encryption

Manual, can be triggered on multiple devices

  • Enable or disable the 'Enforce AD backup' setting.

  • Define the drive encryption type used by BitLocker.

  • Define the encryption method used by BitLocker: 'Aes128', 'Aes256', 'XtsAes128' or 'XtsAes256'

Step 3) Configure custom fields

Navigate to the manage custom fields administration page to review and edit your custom fields.

Operating system versions in the custom fields below are subject to change due to regular patches released by vendors and Apple and Microsoft support policies.

Typically, these versions need to be updated in the custom fields once a month to ensure you have the most current patch versions.

We recommend the following configurations for these custom fields:

Name
NQL ID
Rule name
Object
NQL query

OS targeted quality update version

os_targeted_quality_update_version

macos_sonoma

device

Code
1 devices
2 | where operating_system.platform == macos
3 | where operating_system.name == "*macOS Sonoma 14.6*"

macos_ventura

device

Code
1 devices
2 | where operating_system.platform == macos
3 | where operating_system.name == "*macOS Ventura 13.6.8*"

macos_monterey

device

Code
1 devices
2 | where operating_system.platform == macos
3 | where operating_system.name == "*macOS Monterey 12.7.6*"

windows_10_quality_update

device

Code
1 devices
2 | where operating_system.platform == windows and operating_system.name == "*windows 10*"
3 | where (operating_system.name == "*22h2*" and operating_system.build >= v19045.4717) or (operating_system.name == "*21h2*" and operating_system.build >= v19044.4651)

windows_11_quality_update

device

1 devices
2 | where operating_system.platform == windows and operating_system.name == "*windows 11*"
3 | where (operating_system.name == "*22H2*" and operating_system.build >= v22621.3958) or (operating_system.name == "*23H2*" and operating_system.build >= v22631.3958)

OS targeted feature update version

os_targeted_feature_update_version

windows_10_feature_update

device

Code
1 devices
2 | where operating_system.platform == windows and operating_system.name == "*windows 10*"
3 | where (operating_system.name =="Windows 10*22H2*" or (operating_system.name =="Windows 10*21H2*" and device.operating_system.name == "*ltsc*"))

windows_11_feature_update

device

Code
1 devices
2 | where operating_system.platform == windows and operating_system.name == "*windows 11*"
3 | where operating_system.name == "*23H2*"

OS supported version

os_supported_version

macos_unsupported_version

device

Code
1 devices
2 | where operating_system.platform == macos
3 | where operating_system.name !in ["*Ventura*","*Monterey*","*Sonoma*"]

macos_supported_version

device

Code
1 devices
2 | where operating_system.platform == macos
3 | where operating_system.name in ["*Ventura*","*Monterey*","*Sonoma*"]

windows_unsupported_version

device

Code
1 devices
2 | where operating_system.platform == windows and operating_system.name != "*server*"
3 | where (operating_system.name !in ["*enterprise*", "*education*", "*ltsc*", "*ltsb*"] and operating_system.name in ["*windows 11*"] and operating_system.build < v22621.521) or (operating_system.name !in ["*enterprise*", "*education*", "*ltsc*", "*ltsb*"] and operating_system.build < v19045.0) or (operating_system.name !in ["*ltsc*", "*ltsb*"] and operating_system.name in ["*pro*", "*pro*"] and operating_system.build < v19045.2130) or (operating_system.name in ["*enterprise*", "*education*"] and operating_system.name !in [ "*ltsc*", "*ltsb*"] and operating_system.build < v19044.0) or (operating_system.name in [ "*ltsc*", "*ltsb*"] and operating_system.build < v19044.0) or operating_system.name == "*Windows 7*" or operating_system.name == "*Windows 8*" or operating_system.build < v7601.0

windows_supported_version

device

Code
1 devices
2 | where operating_system.platform == windows and operating_system.name != "*server*"
3 | where (operating_system.name !in ["*ltsc*", "*ltsb*"] and operating_system.name in ["*enterprise*", "*education*"] and operating_system.name == "*windows 11*" and operating_system.build > v22000.194) or (operating_system.name !in ["*ltsc*", "*ltsb*", "*enterprise*", "*education*"] and operating_system.name == "*windows 11*" and operating_system.build > v22621.521) or (operating_system.name !in ["*ltsc*", "*ltsb*"] and operating_system.name == "*windows 10*" and operating_system.name in ["*enterprise*", "*education*"] and operating_system.build > v19044.1288) or (operating_system.name !in ["*ltsc*", "*ltsb*"] and operating_system.name in ["*pro*", "*pro*"] and operating_system.name == "windows 10*" and operating_system.build > v19045.0) or (operating_system.name in ["*ltsc*", "*ltsb*"] and operating_system.build > v19044.0)

Usage guide

Your content is now configured and ready to be used. For usage overview and recommendations, you can visit the usage guide:

Usage guide: Operating systems - Stability, security, and compliance

Last updated

© Nexthink

Privacy policyResponsible Disclosure Policy

#451: 2024.8-Overview of integration DOC

Change request updated