topic Windows 11 ISE posture in Network Access Control

Windows 11 ISE posture

AAA184 — Mon, 03 Nov 2025 19:06:03 GMT

I configured posture policy which use (windows 10(all)) as operating system criteria. and all posture conditions using windows 10 also. but windows 11 PCs still be scanned for posture.

Note : posture requirements still in audit state.

Can someone explain that behavior.

Re: Windows 11 ISE posture

Aref Alsouqi — Tue, 04 Nov 2025 09:59:18 GMT

Apologies if I misunderstood your question. You configured posture assessment for Win 10 and it's not working with Win 11, is this what are you asking about? if so, that won't work because it won't match Win 11 machines. You would need to add Win 11 in the conditions similar to what you've done for Win 10.

Re: Windows 11 ISE posture

Waynieack — Wed, 17 Dec 2025 21:22:16 GMT

What he is saying is that windows 11 is being detected by the ISE posture as windows 10 and even though he only has windows 10 posture rules, windows 11 machines are being postured.

I have the same issue.

Re: Windows 11 ISE posture

Cristian Matei — Fri, 19 Dec 2025 00:31:53 GMT

Hi,

By design, something which is obviously creating more problems than ones which were presumably to be fixed, Windows 11 shows itself as Windows 10 with a different build version than Windows 10:

https://learn.microsoft.com/en-us/answers/questions/555857/windows-11-product-name-in-registry?page=2

Use Registry check to differentiate and match between Windows 10 and Windows 11; from path "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion", match on "DisplayVersion" to be 21H2 values or "CurrentBuildNumber" to be higher than 20000.

Here's an example of using Registry Keys as matching conditions:

https://community.cisco.com/t5/network-access-control/cisco-ise-posture-and-os-selections/td-p/4110666

Thanks,

Cristian.

Re: Windows 11 ISE posture

Waynieack — Fri, 16 Jan 2026 23:27:17 GMT

I have registry conditions like that for other stuff but it doesn't help with the Cisco managed pr_W11_64_Hotfixes conditions. Regardless of what I put the the rules, that operating system check in the pr_W11_64_Hotfixes compound condition is going to keep the windows 11 machines that show up as windows 10 from hitting the hotfix check. We don't allow windows 10 machines, so all the rules that point to pr_W11_64_Hotfixes are set for (windows 10 or windows 11), but that OS check on the pr_W11_64_Hotfixes that I can't change is the issue. I know I can copy it, but then I would be manually managing the rule.