Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4021
Views
11
Helpful
12
Replies

Windows Defender and Cisco ISE

Go to solution
ifabrizio
Level 3
Level 3

‎07-07-2022 07:53 AM

Dear All,

 

I need to know if Cisco ISE 3.1 is compatible with Windows Defender?

 

I found this document on Microsoft site that confirm it:

 

Network access control integration with Microsoft Intune | Microsoft Docs

 

But I' d like to know if it is also true for Cisco.

 

Best regards,

 

Igor.

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ifabrizio

‎07-08-2022 08:41 AM

Correct, assuming you "Use a device compliance policy to set the level of risk you want to allow. Risk levels are reported by Microsoft Defender for Endpoint. Devices that exceed the allowed risk level are identified as noncompliant."

https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection

You would then have something like this document setup (dated but the concepts remain valid with the latst ISE releases):

https://community.cisco.com/t5/security-documents/cisco-ise-integration-with-mobile-device-management-mdm/ta-p/3784691

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Aref Alsouqi
VIP
VIP

‎07-07-2022 09:45 AM

The link you shared seems to be talking about ISE and InTune integration. I think ISE support MS Windows Defender, however, when you try to lookup Windows Defender in ISE Antivirus or Malware posture assessment conditions you won't find it, but you will find Microsoft Corporate or Microsoft Corp, that should be the one that will define Microsoft protection app.

Go to solution
ifabrizio
Level 3
Level 3

‎07-07-2022 09:18 PM - edited ‎07-07-2022 09:20 PM

  • HI Aref thank you for the information, you mean that the MS. Corporate is the main software and the windows Defender is one of its module/parts?
0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to ifabrizio

‎07-08-2022 01:14 AM

Hi Fabrizio, yes, that's what I think.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-08-2022 01:35 AM

What are you wanting to know about "compatibility"?

There are two potential areas to consider, both of which come under the Posture and MDM (Mobile Device Management) integration use cases. If you are not using Posture or MDM integration then the question is moot as ISE and Defender have very different purposes and do not interact.

In the case of Posture, ISE can check if the endpoint is running Defender and has definitions no older than a period you specify. ISE can also integrate with InTune which can be managing the Defender settings (among other things) and report to ISE whether the endpoint is compliant. ISE can then use that result in the Policy Set as an Authorization condition.

Go to solution
ifabrizio
Level 3
Level 3
In response to Marvin Rhoads

‎07-08-2022 07:58 AM

Hi Marvin, thank you for your reply.

I will use posture check on Cisco Ise, for the Byod. The Windows Defender will be installed on internal PC, with office 365.

In my idea the Ise should be able to interact with windows defender and if it raise up some allarm, the Ise can act as NAC, and block PC communication or move on a segregated DMZ. Is It possibile?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ifabrizio

‎07-08-2022 08:18 AM

@ifabrizio the type of functionality you are asking about isn't directly supported. Cisco can check if Defender is installed, active and current. It cannot make an authorization (or change of authorization) decision based on an event occurring in Defender.

If you have InTune and it is configured to determine that an active Defender alert makes the managed computer non-compliant with respect to InTune then ISE can change the authorization result in that case.

0 Helpful

Go to solution
ifabrizio
Level 3
Level 3
In response to Marvin Rhoads

‎07-08-2022 08:28 AM

Thank you again Marvin.

Yes we will use defender with InTune.

So is the InTune that communicate with Ise so it can change the authorization, is my understanding correct?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ifabrizio

‎07-08-2022 08:41 AM

Correct, assuming you "Use a device compliance policy to set the level of risk you want to allow. Risk levels are reported by Microsoft Defender for Endpoint. Devices that exceed the allowed risk level are identified as noncompliant."

https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection

You would then have something like this document setup (dated but the concepts remain valid with the latst ISE releases):

https://community.cisco.com/t5/security-documents/cisco-ise-integration-with-mobile-device-management-mdm/ta-p/3784691

0 Helpful

Go to solution
ifabrizio
Level 3
Level 3
In response to Marvin Rhoads

‎07-11-2022 02:23 AM

Hi Marvin,

Unfortunately I cannot open the link:

docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection 

Could you please send me this document as attachment?

Best regards,

Igor.

0 Helpful

Go to solution
rhugento@cisco.com
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎07-22-2024 07:49 AM

Hi Marvin, I learned today with ISE posturing we only check if the Agent is installed, not actually if the Agent is running. Can you please confirm? Are there any other means (e.g. MDM) to check if the Agent is running or is it planned in the future? 

0 Helpful

Go to solution
rhugento@cisco.com
Cisco Employee
Cisco Employee

‎07-22-2024 08:33 AM

Hello Together, I learned in a PoC "ISE Posturing" only checks if the Agent is installed and if the Signature/Definitions are up-to-date but NOT if the Agent is running. Therefore some of the above statements are not correct.

Would be interesting to know if later can be checked via MDM and if the capability is on the ISE roadmap.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to rhugento@cisco.com

‎07-22-2024 08:37 AM

You can check a process status using ISE Posture checks. This applies for all posture checking types = Secure Client, Secure Client Stealth, Temporal and Agentless.

Customers Also Viewed These Support Documents