Skip to content
Cloudflare Docs

OS version

The OS Version device posture attribute checks whether the version of a device's operating system matches, is greater than or lesser than the configured value.

Prerequisites

  • Cloudflare WARP client is deployed on the device. For a list of supported modes and operating systems, refer to WARP Client Checks.

Enable the OS version check

  1. In Cloudflare One, go to Reusable components > Posture checks.

  2. Go to WARP client checks and select Add a check.

  3. Select OS version.

  4. Configure the Operating system, Operator, and Version fields to specify the OS version you want devices to match.

  5. (Optional) Configure additional OS-specific fields:

    To check that Windows devices have required security patches and features installed, include an Update Build Revision (UBR) number in the OS version check.

    • Update Build Revision: Enter the Windows UBR you want devices to match (for example, 3803). The UBR is the fourth part of the full Windows version number (for example, in 10.0.19045.3803, the UBR is 3803).

  6. Select Save.

Next, go to Insights > Logs > Posture logs and verify that the OS version check is returning the expected results.

Determine the OS version

Operating systems display version numbers in different ways. This section covers how to retrieve the version number in each OS, in a format matching what the OS version posture check expects.

macOS

  1. Open a terminal window.

  2. Use the defaults command to check for the value of SystemVersionStampAsString.

    Terminal window
    defaults read loginwindow SystemVersionStampAsString

Windows

Windows version numbers consist of four parts: Major.Minor.Build.UBR. For example, 10.0.19045.3803 where:

  • 10.0 is the Version (Major.Minor)
  • 19045 is the Build number
  • 3803 is the UBR (Update Build Revision)

To determine the Windows version on your device:

  1. Open a PowerShell window.

  2. Get the Version (Major.Minor.Build):

    Terminal window
    (Get-CimInstance Win32_OperatingSystem).version

    This returns the version in the format Major.Minor.Build (for example, 10.0.19045).

  3. Get the UBR (Update Build Revision):

    Terminal window
    (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name UBR).UBR

    This returns the UBR value (for example, 3803).

Linux

OS version

The Linux OS version check reads the system kernel version.

  1. Open a Terminal window.

  2. Run the uname -r command to get the complete kernel version. For example,

    Terminal window
    $ uname -r
    5.14.0-25.el9.x86_64

  3. Version is the first three numbers of the output in SemVer format (5.14.0).

  4. Patch Version is the first number after the SemVer (25).

Distro version

The WARP client reads Distro name and Distro revision from the /etc/os-release file. The name comes from the ID field, and the revision comes from the VERSION_ID field.

To determine the Linux distro version on your device:

  1. Open a Terminal window.

  2. Get the OS identification fields that contain ID:

    Terminal window
    cat /etc/os-release | grep "ID"

  3. If the output of the above command contained ID=ubuntu and VERSION_ID=22.04, Distro name would be ubuntu and Distro revision would be 22.04. The WARP client will check these strings for an exact match.

ChromeOS

ChromeOS version numbers consist of four parts: MAJOR.MINOR.BUILD.PATCH. The OS version posture check returns MAJOR.MINOR.BUILD.

To determine the ChromeOS version on your device:

  1. Open Chrome browser and go to chrome://system.
  2. Find the following values:
    PropertyOS version component
    CHROMEOS_RELEASE_CHROME_MILESTONEMAJOR
    CHROMEOS_RELEASE_BUILD_NUMBERMINOR
    CHROMEOS_RELEASE_BRANCH_NUMBERBUILD
  3. The OS version in Semver format is MAJOR.MINOR.BUILD (for example, 103.14816.131).