Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2605
Views
10
Helpful
9
Replies

Windows Defender and Cisco ISE

Go to solution
ifabrizio
Level 1
Level 1

‎07-07-2022 07:53 AM

Dear All,

 

I need to know if Cisco ISE 3.1 is compatible with Windows Defender?

 

I found this document on Microsoft site that confirm it:

 

Network access control integration with Microsoft Intune | Microsoft Docs

 

But I' d like to know if it is also true for Cisco.

 

Best regards,

 

Igor.

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ifabrizio

‎07-08-2022 08:41 AM

Correct, assuming you "Use a device compliance policy to set the level of risk you want to allow. Risk levels are reported by Microsoft Defender for Endpoint. Devices that exceed the allowed risk level are identified as noncompliant."

https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection

You would then have something like this document setup (dated but the concepts remain valid with the latst ISE releases):

https://community.cisco.com/t5/security-documents/cisco-ise-integration-with-mobile-device-management-mdm/ta-p/3784691

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Aref Alsouqi
VIP
VIP

‎07-07-2022 09:45 AM

The link you shared seems to be talking about ISE and InTune integration. I think ISE support MS Windows Defender, however, when you try to lookup Windows Defender in ISE Antivirus or Malware posture assessment conditions you won't find it, but you will find Microsoft Corporate or Microsoft Corp, that should be the one that will define Microsoft protection app.

Go to solution
ifabrizio
Level 1
Level 1

‎07-07-2022 09:18 PM - edited ‎07-07-2022 09:20 PM

  • HI Aref thank you for the information, you mean that the MS. Corporate is the main software and the windows Defender is one of its module/parts?
0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to ifabrizio

‎07-08-2022 01:14 AM

Hi Fabrizio, yes, that's what I think.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-08-2022 01:35 AM

What are you wanting to know about "compatibility"?

There are two potential areas to consider, both of which come under the Posture and MDM (Mobile Device Management) integration use cases. If you are not using Posture or MDM integration then the question is moot as ISE and Defender have very different purposes and do not interact.

In the case of Posture, ISE can check if the endpoint is running Defender and has definitions no older than a period you specify. ISE can also integrate with InTune which can be managing the Defender settings (among other things) and report to ISE whether the endpoint is compliant. ISE can then use that result in the Policy Set as an Authorization condition.

Go to solution
ifabrizio
Level 1
Level 1
In response to Marvin Rhoads

‎07-08-2022 07:58 AM

Hi Marvin, thank you for your reply.

I will use posture check on Cisco Ise, for the Byod. The Windows Defender will be installed on internal PC, with office 365.

In my idea the Ise should be able to interact with windows defender and if it raise up some allarm, the Ise can act as NAC, and block PC communication or move on a segregated DMZ. Is It possibile?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ifabrizio

‎07-08-2022 08:18 AM

@ifabrizio the type of functionality you are asking about isn't directly supported. Cisco can check if Defender is installed, active and current. It cannot make an authorization (or change of authorization) decision based on an event occurring in Defender.

If you have InTune and it is configured to determine that an active Defender alert makes the managed computer non-compliant with respect to InTune then ISE can change the authorization result in that case.

0 Helpful

Go to solution
ifabrizio
Level 1
Level 1
In response to Marvin Rhoads

‎07-08-2022 08:28 AM

Thank you again Marvin.

Yes we will use defender with InTune.

So is the InTune that communicate with Ise so it can change the authorization, is my understanding correct?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ifabrizio

‎07-08-2022 08:41 AM

Correct, assuming you "Use a device compliance policy to set the level of risk you want to allow. Risk levels are reported by Microsoft Defender for Endpoint. Devices that exceed the allowed risk level are identified as noncompliant."

https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection

You would then have something like this document setup (dated but the concepts remain valid with the latst ISE releases):

https://community.cisco.com/t5/security-documents/cisco-ise-integration-with-mobile-device-management-mdm/ta-p/3784691

0 Helpful

Go to solution
ifabrizio
Level 1
Level 1
In response to Marvin Rhoads

‎07-11-2022 02:23 AM

Hi Marvin,

Unfortunately I cannot open the link:

docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection 

Could you please send me this document as attachment?

Best regards,

Igor.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents