IBM Support

QRadar EDR: Important changes on QRadar EDR Windows agent nanoOS

News


Abstract

The EDR Windows agent v3.12.0 comes with an updated version of the nanoOS with extended support to the latest Windows 10 and Windows 11 kernels.

Content

The new nanoOS has been tested on the following configurations (see section below Supported configurations) that will be expanded over time. The general system requirements of the 64-bit agent applies also to the NanoOS (see official Documentation system requirements).
 
Important: 
  • For fresh (first time agent deployment) installations of v3.12.0, the nanoOS will be disabled by default. Therefore, the user need to meet a compatibility requirements and enable the nanoOS accordingly. The nanoOS can be enabled from the endpoint live response, by issuing the command “nanoos on”.
  • In case of agent updates to the v3.12.0 on unsupported configurations, it is recommended to pro-actively disable the nanoOS before the update by issuing “nanoos off” from the endpoint live response. The nanoOS activation can be attempted by issuing “nanoos on“ from the endpoint live response. Endpoints that already have nanoOS status enabled prior to the update will have the new nanoOS deployed automatically.
  • In order to ensure a flawless roll-out, we suggest incrementally distributing the update starting from a group with a limited number of endpoints and verifying the nanoOS is in enabled status.
 
Supported configurations:
The currently supported processor families are. The EDR Windows agent v3.12.0 comes with an updated version of the nanoOS with extended support to the latest Windows 10 and Windows 11 up to 23H2.
 
Intel:
  • Intel Xeon E Family
  • Intel N100 Family
  • Intel i3
  • Intel i5
  • Intel i7
  • Intel i9
AMD:
  • AMD FX Family
  • AMD Ryzen 3
  • AMD Ryzen 5
  • AMD Ryzen 7
  • AMD Ryzen 9
 
Use of virtualization is supported for VMware ESXi 8.0 U3b.
 
 
Unsupported OS features:
Memory integrity, also known as Hypervisor-protected Code Integrity (HVCI) is Microsoft feature part of Device Guard.
Memory integrity works by creating an isolated environment using hardware virtualization and ensures that memory pages are only made executable after passing code integrity checks inside the secure runtime environment, and executable pages themselves are never writable. This design makes it incompatible with the nanoOS.
 
Important:
  • HVCI and nanoOS cannot be active simultaneously. In order for HVCI to be enabled with an active nanoOS requires the nanoOS to be firstly disabled. This is mandatory because Windows caches information about incompatible services and services files and deny the HVCI enablement in case any incompatibility is detected. From the endpoint live response issue “nanoos off” and verify from the endpoint details that the nanoOS status turns to disabled.
  • At installation time, the nanoOS service and files are not deployed in case HVCI is detected enabled.
 
 

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta"},"ARM Category":[{"code":"a8m3p000000hBSAAA2","label":"Administrative Tasks"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
27 November 2025

UID

ibm17173575

Page Feedback