Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2399
Views
0
Helpful
3
Replies

Patch Management with ISE

Go to solution
abhvyas
Cisco Employee
Cisco Employee

‎08-02-2017 02:55 AM

Hello Experts,

I have come across a scenario where patch management for Windows' Machines is getting done through various methods like SCCM, WSUS and sometimes running scripts on end points.


As per my understanding patch management with ISE is performed using AnyConnect integration with ISE, where AnyConnect verifies Critical Patches installation on machine with the help of SCCM Client before giving network access to end point.


Customer doesn't want to ISE to rely on SCCM, stating that due to some issues patches can be missing on SCCM client and hence

want ISE to verify presence of patches on end points using some manual configuration of Windows registry or KB values.


Request you to please help me out if you are aware of any such customisation with ISE for Windows patch validations and suggest if any solution/workaround is available.


Thank you.

Abhishek



0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎08-02-2017 07:09 AM

There are a number of custom checks for Windows updates that are pushed as part of the Posture rules updates   from Cisco.  That said, this is typically a much more management intensive route.  ISE 2.2 has additional enhancements in 2.2 for checking SCCM checks with external Windows server.  I suggest trying to leverage existing WSUS/SCCM integration, or patch management solution to help automate operation.

/Craig

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Craig Hyps
Level 10
Level 10

‎08-02-2017 07:09 AM

There are a number of custom checks for Windows updates that are pushed as part of the Posture rules updates   from Cisco.  That said, this is typically a much more management intensive route.  ISE 2.2 has additional enhancements in 2.2 for checking SCCM checks with external Windows server.  I suggest trying to leverage existing WSUS/SCCM integration, or patch management solution to help automate operation.

/Craig

0 Helpful

Go to solution
Bcssi Network
Level 1
Level 1
In response to Craig Hyps

‎01-24-2018 05:17 AM

Hi Chyps,

Can you please elaborate more on your response -

"ISE 2.2 has additional enhancements in 2.2 for checking SCCM checks with external Windows server.  I suggest trying to leverage existing WSUS/SCCM integration, or patch management solution to help automate operation."

0 Helpful

Go to solution
imbashir
Cisco Employee
Cisco Employee
In response to Bcssi Network

‎01-26-2018 05:51 PM

Hello, comment was around enhancements on AC compliance module code to check for all patches instead of just critical patches, recommend using the latest CM module to work with all patch levels

thank you


Regards

Imran.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents