topic Windows 10 patch managment in Network Access Control

Windows 10 patch managment

afahmy — Tue, 07 Nov 2017 16:15:03 GMT

Hi all,

As i haven't had the chance to test or try that myself, please advise if there are known issues in getting SCCM integration to work with ISE+ Anyconnect posture or the purpose of patch management (customer wants to make sure endpoint has the most up to date patches before it's allowed on the network).

Thanks,

Ahmed.

Re: Windows 10 patch managment

Craig Hyps — Tue, 07 Nov 2017 17:26:32 GMT

Per direct communication, here is reference guide: ISE Design & Integration Guides

You also noted that TAC case opened but concern was delay in seeing resolution, so this post does not provide much for anyone to go on other than "Any known issues". Per phone call, recommend:

Communicate delay in resolution with TAC Duty Manager
Review SCCM Integration Guide
ISE 2.3 adds some enhancements for backend Microsoft patch level checking with SCCM.
If specific question or issue, then detail that rather than general "any issues" to allow TMEs or other SMEs to provide direct feedback to specific issue. Otherwise it is too vague.

Goal of this community is not to be a TAC escalation forum so want to make sure that issues already in the hands of TAC are escalated through proper channels. If looking for feedback on resolution or solicit experience, that is acceptable, but open queries like this likely will not achieve desired outcome.

Re: Windows 10 patch managment

paul — Wed, 08 Nov 2017 14:35:50 GMT

Ahmed,

In addition to what Craig said, you have to be very careful about this statement you made:

"customer wants to make sure endpoint has the most up to date patches before it's allowed on the network."

Any time I see the statement like "Customer wants to block access before posture is known" I cringe a bit. You need to have a clear understanding of when posture status is reported and what you will break if you are too restrictive in the posture unknown state.