In this instance, how would the posture client preform definitions updates?  Might it get them from ISE via the Posture update service, might it run some powershell command that informs defender to go update..... we need to know this stuff so we can ensure the access is there to actually get updates.  Example, if it runs some PowerShell command that tells the defender client to update, then that means the DACL that we push out as part of posture permits access to the internet / some on prem update services.  Hopefully someone from Cisco will chime in and help out.  I've enabled debugging and got DART logs but having difficulty sorting through the noise.  

It has been explained here Solved: ISE automatic posture remediation of anti-malware - Cisco Community

Note that: Some of the Anti-Malware endpoint security solutions (such as FireEye, Cisco AMP, Sophos, and so on) require network access to their respective centralized service for functioning. For such products, AnyConnect ISE posture module (or OESIS library) expects the endpoints to have internet connectivity. It is recommended that internet access is allowed for such endpoints during pre-posture for these online agents (if offline detection is not enabled). Signature Definition condition might not be applicable in such cases.

Cisco Identity Services Engine Administrator Guide, Release 3.1 - Compliance [Cisco Identity Services Engine] - Cisco

If you find this useful, please mark it helpful and accept the solution.

Thanks for the link.  It's still unclear to me if the compliance module is telling defender (in this case) to go update or if the automatic remediation is simply to let defender phone back to some update server by itself.  In my case the posture settings allow for 5 minutes before marking an endpoint as uncompliant.