Re: Cisco ISE and Intune Integration Providing Inaccurate Query Result

anu-fatokun · ‎03-14-2025

I recently integrated Microsoft Intune with Cisco ISE 3.4 to check for device registration status and device compliance state. I am noticing some false result between the two integration. For example, ISE showing a device registration is false where in actual sense this device is enrolled in Intune, or a case of a system not enrolled in Intune and that device is matching an authorization policy checking ONLY device registration status. The results are inconsistent and becoming not relying. This is going to be a big deal because if it profiled a device wrongly, the connection will be given the wrong policy. Has anyone faced this, or is this a well known issue?

What is your experience with Intune integration with Cisco ISE?

PSM · ‎03-15-2025

Probably ISE API when sending query to Intune, not able to find the device. This issue mainly happen when you use MAC address as identifier. What is the Device Identifier you have enabled in External MDM configuration for Intune ? Recommended way is to use SAN GUID. To use SAN GUID as Device identifier you must have GUID printed in SAN field of endpoint certificates.

anu-fatokun · ‎03-15-2025

Thanks @PSM for the response. First of, I am not doing certificate authentication, so there is no endpoint certificates. I enabled the legacy mac address. But, if ISE API query to Intune could not find a device, shouldn't it report that the device is not registered. Why report that a device is registered because it could not find a device. Is there anything that could cause this inaccurate query result? Because, this is going to have significant on authorization profiles it assign to authentication attempts.

anu-fatokun · ‎03-15-2025

I did further troubleshooting, and added more API permissions in the APP registration. Now I could see the mdm report showing the right status after granting more API permissions. However, despite that, the device was still granted wrong authorization policy. See the screenshots below. This device should fail the authorization condition. Could this be a case of cached or using existing session? I really want to understand what the issue is...that device should not be hitting that policy.

PSM · ‎03-16-2025

@anu-fatokun Yes there is Cache in ISE. You can check endpoint attribute status in Context Visibility>Endpoints>Attributes> Other Attributes. There you should see multiple attributes related to MDM. You can verify if endpoint has expected attribute value. If not try to delete endpoint from context visibility and test again.

jcatanzaro · ‎08-06-2025

We're experiencing similar issues on various systems. The biggest thing we did was to get SAN URI added to the certificates with the intune device id. MAC address is considered legacy and especially when certain devices are behind docking stations etc. it's unreliable. Before we added the SAN URI to the certificates, a null value was being presented resulting in the false negative result. That particular case seems to have been cleared up mostly.

However, we're even seeing say a Macbook behind a dell dock. Dell dock MAC address comes across but cert is presented with device ID AND ISE can profile it as Mac OS X. Registered and compliant in intune, but intune is still telling ISE that it's not compliant.

The quality of ISE software has gone so far downhill. There may be responsibility on Microsoft also as Intune is no walk in the park. But to see this flagship security product have the crippling issues it seems to always be stricken with is really disappointing.

Greg Gibbs · ‎08-06-2025

I'm not sure if I understand the issue with ISE here... Intune is responding to ISE querying the MS Compliance Retrieval API with a 'Compliant=False' response, but you want ISE to ignore that and treat it as Compliant?