System State
The System State tab on the agent detail page provides detailed operating system telemetry, installed update history, endpoint protection status, and Windows Defender health. This tab focuses on the endpoint's software state and security posture.
Pending updates and system summary information are displayed in the always-visible sections above the tab bar, not within this tab. The System State tab shows deeper telemetry data that complements those summary panels.
Operating System
A detailed breakdown of the endpoint's OS configuration:
| Field | Description |
|---|---|
| Name | Full OS name (e.g., Windows 11 Pro, Ubuntu 24.04) |
| Edition | OS edition (e.g., Pro, Enterprise, Server Standard) |
| Version | Feature version (e.g., 24H2 for Windows, kernel version for Linux) |
| Build | OS build number including UBR (e.g., 26200.7848) |
| Architecture | System architecture (e.g., x64) |
| Locale | System locale setting |
| Restart Required | Whether a reboot is pending |
| ESU License | Extended Security Updates license status, shown only for OSes past their end-of-support date (Windows Server 2012/2012 R2, Server 2016, Server 2019, Windows 10) |
Version Components (Windows only)
Tracks versions of key Windows platform components:
- MSRT Version - Microsoft Malicious Software Removal Tool version
- Security App - Windows Security app version (not applicable on Server editions)
- .NET Framework - Installed .NET Framework versions
- .NET Runtimes - Installed .NET runtime versions (e.g., NETCore.App 8.0.11, WindowsDesktop.App 6.0.36)
Microsoft Office (Windows only)
If Microsoft Office is installed, this section shows:
- Version - Installed Office version number
- Architecture - Office architecture (x86 or x64)
- Channel - Update channel (e.g., Monthly Enterprise, Semi-Annual)
- Products - Installed Office products (e.g., Word, Excel, Outlook)
- Update status - Whether an Office update is available, with the target version displayed
Installed Updates
A scrollable table listing all updates currently installed on the endpoint.
Windows endpoints show:
- KB number, update name, and release date for each installed KB
- KB details are enriched from the update catalog when available
Linux endpoints show:
- Package name and version for each installed security package
Endpoint Protection
Shows the endpoint's EDR (Endpoint Detection and Response) and antivirus status:
- Status badge - Active (green), Detected (yellow), Defender Only (default), or Not Detected (red)
- Primary EDR - The primary endpoint protection product if detected
- Product list - All detected security products with vendor, version, and running state
- If a third-party EDR is active and has disabled Windows Defender, a note explains that Defender is disabled because the third-party product is providing protection
Windows Defender (Windows only)
Detailed Windows Defender health information:
| Field | Description |
|---|---|
| Status badge | Up to Date (green), Out of Date (yellow, signatures older than 24 hours), Critical (red, signatures older than 7 days), or Disabled |
| Signature Version | Current definition signature version |
| Signature Age | Hours or days since last signature update |
| Engine Version | Defender engine version |
| Product Version | Defender product version |
| Last Updated | Timestamp of the most recent signature update |
When a third-party EDR has disabled Windows Defender (engine version shows 0.0.0.0), all fields display "N/A" and the status shows "Disabled".
Refresh
The tab header includes a refresh button that triggers the agent to collect and send fresh system state telemetry. The button is disabled when:
- The agent is offline
- A system applicability refresh is already in progress (system state is collected as a sub-task)
- A vulnerability scan is in progress (also includes system state collection)