08-02-2017 02:55 AM
Hello Experts,
I have come across a scenario where patch management for Windows' Machines is getting done through various methods like SCCM, WSUS and sometimes running scripts on end points.
As per my understanding patch management with ISE is performed using AnyConnect integration with ISE, where AnyConnect verifies Critical Patches installation on machine with the help of SCCM Client before giving network access to end point.
Customer doesn't want to ISE to rely on SCCM, stating that due to some issues patches can be missing on SCCM client and hence
want ISE to verify presence of patches on end points using some manual configuration of Windows registry or KB values.
Request you to please help me out if you are aware of any such customisation with ISE for Windows patch validations and suggest if any solution/workaround is available.
Thank you.
Abhishek
Solved! Go to Solution.
08-02-2017 07:09 AM
There are a number of custom checks for Windows updates that are pushed as part of the Posture rules updates from Cisco. That said, this is typically a much more management intensive route. ISE 2.2 has additional enhancements in 2.2 for checking SCCM checks with external Windows server. I suggest trying to leverage existing WSUS/SCCM integration, or patch management solution to help automate operation.
/Craig
08-02-2017 07:09 AM
There are a number of custom checks for Windows updates that are pushed as part of the Posture rules updates from Cisco. That said, this is typically a much more management intensive route. ISE 2.2 has additional enhancements in 2.2 for checking SCCM checks with external Windows server. I suggest trying to leverage existing WSUS/SCCM integration, or patch management solution to help automate operation.
/Craig
01-24-2018 05:17 AM
Hi Chyps,
Can you please elaborate more on your response -
"ISE 2.2 has additional enhancements in 2.2 for checking SCCM checks with external Windows server. I suggest trying to leverage existing WSUS/SCCM integration, or patch management solution to help automate operation."
01-26-2018 05:51 PM
Hello, comment was around enhancements on AC compliance module code to check for all patches instead of just critical patches, recommend using the latest CM module to work with all patch levels
thank you
Regards
Imran.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: