System State
The System State tab on the agent detail page provides detailed operating system telemetry, installed update history, endpoint protection status, and Windows Defender health. This tab focuses on the endpoint's software state and security posture.
Pending updates and system summary information are displayed in the always-visible sections above the tab bar, not within this tab. The System State tab shows deeper telemetry data that complements those summary panels.
Operating System
A detailed breakdown of the endpoint's OS configuration:
| Field | Description |
|---|---|
| Name | Full OS name (e.g., Windows 11 Pro, Ubuntu 24.04) |
| Edition | OS edition (e.g., Pro, Enterprise, Server Standard) |
| Version | Feature version (e.g., 24H2 for Windows, kernel version for Linux) |
| Build | OS build number including UBR (e.g., 26200.7848) |
| Architecture | System architecture (e.g., x64) |
| Locale | System locale setting |
| Restart Required | Whether a reboot is pending |
| ESU License | Extended Security Updates license status, shown only for OSes past their end-of-support date (Windows Server 2012/2012 R2, Server 2016, Server 2019, Windows 10) |
Version Components (Windows only)
Tracks versions of key Windows platform components:
- MSRT Version - Microsoft Malicious Software Removal Tool version
- Security App - Windows Security app version (not applicable on Server editions)
- .NET Framework - Installed .NET Framework versions
- .NET Runtimes - Installed .NET runtime versions (e.g., NETCore.App 8.0.11, WindowsDesktop.App 6.0.36)
Microsoft Office (Windows only)
If Microsoft Office is installed, this section shows:
- Version - Installed Office version number
- Architecture - Office architecture (x86 or x64)
- Channel - Update channel (e.g., Monthly Enterprise, Semi-Annual)
- Products - Installed Office products (e.g., Word, Excel, Outlook)
- Update status - Whether an Office update is available, with the target version displayed
Installed Updates
A scrollable table listing all updates currently installed on the endpoint.
Windows endpoints show:
- KB number, update name, and release date for each installed KB
- KB details are enriched from the update catalog when available
Linux endpoints show:
- Package name and version for each installed security package
macOS endpoints show:
- Update name, version, and release date for each installed system update
- Apple Security Advisory references are linked inline when the update was published with an associated advisory
Servicing Health
Pre-flight checks that look at the system state Windows cumulative updates depend on. When one of these checks fails, the next cumulative update will install, reboot, then roll back at 98% with errors like 0x800f0922 and revert to the prior state. The Servicing Health section surfaces the failing check up front so you can fix the underlying cause before triggering an install, instead of troubleshooting the failure afterward.
This section appears on Windows endpoints only. The status badge in the section header summarizes the endpoint's overall readiness:
| Badge | Meaning |
|---|---|
| Ready for updates | All checks passed. The endpoint is in a state where cumulative updates can install successfully. |
| Action recommended | One or more checks returned a warning. The next update may still install, but the warned-on subsystem (for example, free space approaching its threshold) is worth addressing. |
| Update install blocked | One or more checks returned a critical finding. Cumulative updates that try to install in this state are expected to fail. The fix is shown inline along with the relevant Microsoft KB article. |
When everything is healthy, the section displays a single line confirming all checks passed and the timestamp of the most recent measurement. When a check fails, only the failing checks are listed, each with a plain-language summary, the recommended fix, and a link to the Microsoft KB article that documents the supported repair procedure.
Checks performed
| Check | What it looks at | Why it matters |
|---|---|---|
| WinRE Configuration Consistency | The reagentc /info output, C:\Windows\System32\Recovery\ReAgent.xml, and the WinRE entry in the Boot Configuration Data store. The check passes when WinRE is disabled, or when WinRE is enabled and the BCD identifier in ReAgent.xml matches what reagentc reports. | Cumulative updates refresh winre.wim when WinRE is enabled. When ReAgent.xml references a partition or BCD entry that no longer exists (a common state on long-lived imaged systems), the install reaches the post-reboot commit phase and reverts. The Microsoft-supported reset script in KB5034957 is the standard repair. |
| EFI System Partition Free Space | The total and free bytes on the GPT EFI System Partition (mounted briefly via mountvol). | Post-April 2026 cumulative updates ship larger boot files than the legacy 100 MB ESPs common on older Windows 10/11 systems can absorb. The check warns at <100 MB free and flags critical at <50 MB free. Resize procedure is documented in KB5028997. |
| Recovery Partition Size | The total size of the partition that holds winre.wim, identified by parsing the WinRE location reported by reagentc /info and looking up the partition with Get-Partition. | winre.wim has grown across recent feature updates; recovery partitions sized to the legacy 500 MB no longer fit the current image. The check warns at <750 MB and flags critical at <500 MB. The resize procedure is documented in KB5034957. |
| CBS Pending Operations | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PendingRequired and RebootPending registry keys, plus C:\Windows\WinSxS\pending.xml. | Pending Component-Based Servicing operations from a previous failed update or feature change block subsequent cumulative updates from installing. The check warns when any indicator is present and recommends dism /online /cleanup-image /restorehealth followed by a reboot. |
| C: Free Space | The free bytes on the C: drive (queried directly via Win32 GetDiskFreeSpaceExW). | Cumulative updates download and stage content under C:\Windows\SoftwareDistribution and C:\$WinPE_Boot before installing. Recent CUs need 8-10 GB of headroom at peak. The check warns at <20 GB free and flags critical at <10 GB free. |
| CheckSUR Errors | The last 256 KB of C:\Windows\Logs\CBS\CheckSUR.log, counting (f) lines that are not followed by a (fix) line on the next non-blank row. | Unrepaired entries in the CheckSUR log strongly correlate with cumulative update failures. The check warns when any unrepaired errors are present and recommends dism /online /cleanup-image /restorehealth and sfc /scannow. |
Frequency
Probes run shortly after the agent connects to the server (on agent startup, restart, or reconnect). Findings are stored as the latest known state, one row per check per endpoint, so the section reflects the most recent measurement rather than a history. To re-run probes manually, restart the TridentStack Control agent service on the endpoint.
What to do when a check fails
- Read the Fix line on the failing check for a one-sentence summary of the supported repair.
- Click the linked Microsoft KB article for the full procedure.
- After running the repair on the endpoint, the next probe submission will clear the finding (or, if the issue persists, re-flag it with details that help narrow down the cause).
Endpoint Protection
Shows the endpoint's EDR (Endpoint Detection and Response) and antivirus status:
- Status badge - Active (green), Detected (yellow), Defender Only (default), or Not Detected (red)
- Primary EDR - The primary endpoint protection product if detected
- Product list - All detected security products with vendor, version, and running state
- If a third-party EDR is active and has disabled Windows Defender, a note explains that Defender is disabled because the third-party product is providing protection
Windows Defender (Windows only)
Detailed Windows Defender health information:
| Field | Description |
|---|---|
| Status badge | Up to Date (green), Out of Date (yellow, signatures older than 24 hours), Critical (red, signatures older than 7 days), or Disabled |
| Signature Version | Current definition signature version |
| Signature Age | Hours or days since last signature update |
| Engine Version | Defender engine version |
| Product Version | Defender product version |
| Last Updated | Timestamp of the most recent signature update |
When a third-party EDR has disabled Windows Defender (engine version shows 0.0.0.0), all fields display "N/A" and the status shows "Disabled".
Refresh
The tab header includes a refresh button that triggers the agent to collect and send fresh system state telemetry. The button is disabled when:
- The agent is offline
- A system applicability refresh is already in progress (system state is collected as a sub-task)
- A vulnerability scan is in progress (also includes system state collection)