cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1037
Views
0
Helpful
3
Replies
Cisco Employee

Patch Management with ISE

Hello Experts,

I have come across a scenario where patch management for Windows' Machines is getting done through various methods like SCCM, WSUS and sometimes running scripts on end points.


As per my understanding patch management with ISE is performed using AnyConnect integration with ISE, where AnyConnect verifies Critical Patches installation on machine with the help of SCCM Client before giving network access to end point.


Customer doesn't want to ISE to rely on SCCM, stating that due to some issues patches can be missing on SCCM client and hence

want ISE to verify presence of patches on end points using some manual configuration of Windows registry or KB values.


Request you to please help me out if you are aware of any such customisation with ISE for Windows patch validations and suggest if any solution/workaround is available.


Thank you.

Abhishek



1 ACCEPTED SOLUTION

Accepted Solutions
Advocate

Re: Patch Management with ISE

There are a number of custom checks for Windows updates that are pushed as part of the Posture rules updates   from Cisco.  That said, this is typically a much more management intensive route.  ISE 2.2 has additional enhancements in 2.2 for checking SCCM checks with external Windows server.  I suggest trying to leverage existing WSUS/SCCM integration, or patch management solution to help automate operation.

/Craig

3 REPLIES 3
Advocate

Re: Patch Management with ISE

There are a number of custom checks for Windows updates that are pushed as part of the Posture rules updates   from Cisco.  That said, this is typically a much more management intensive route.  ISE 2.2 has additional enhancements in 2.2 for checking SCCM checks with external Windows server.  I suggest trying to leverage existing WSUS/SCCM integration, or patch management solution to help automate operation.

/Craig

Beginner

Re: Patch Management with ISE

Hi Chyps,

Can you please elaborate more on your response -

"ISE 2.2 has additional enhancements in 2.2 for checking SCCM checks with external Windows server.  I suggest trying to leverage existing WSUS/SCCM integration, or patch management solution to help automate operation."

Highlighted
Cisco Employee

Re: Patch Management with ISE

Hello, comment was around enhancements on AC compliance module code to check for all patches instead of just critical patches, recommend using the latest CM module to work with all patch levels

thank you


Regards

Imran.