Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3631
Views
0
Helpful
4
Replies

Cisco ISE Posture and OS Selections

Go to solution
nikolaie
Level 1
Level 1

‎06-28-2020 11:59 PM

Hi, We are in the process of deploying Posture Assessment across the business but would like to target only a particular flavor of Windows 10 Operating System, i.e., Enterprise, instead of ALL Win 10 versions.   This granular selection of the OS is required because we have hundreds of thin clients running Windows 10 Embedded so we'd prefer they do not participate in posture assessment.   Cisco ISE Version 2.6.0.156, Patch 3.

 

Question: Can the Client Provisioning Policy rules around Operating Systems be modified to include more granular versions of an OS type, i.e., Windows 10 Professional, Windows 10 Enterprise, etc.  These options are available when created a Posture Policy just not when creating a Client Provisioning Policy.  Thanks in advance.

Preview file
22 KB
Preview file
20 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎06-29-2020 05:55 AM

AFAIK for the CPP rules you cannot include more granular OS under the 'If' column. However, you have the ability to rely on 'other conditions' to ensure that you only steer the clients you wish to be subject to ISE posturing. Some examples include: rely on different AD security groups; tunnel group name identifiers from VPN profiles; along with many others. You can create conditions as well. My suggestion would be to identify which specific conditions you can utilize to keep Win10 Enterprise separate from the rest of the bunch. Good luck & HTH!

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎06-29-2020 05:55 AM

AFAIK for the CPP rules you cannot include more granular OS under the 'If' column. However, you have the ability to rely on 'other conditions' to ensure that you only steer the clients you wish to be subject to ISE posturing. Some examples include: rely on different AD security groups; tunnel group name identifiers from VPN profiles; along with many others. You can create conditions as well. My suggestion would be to identify which specific conditions you can utilize to keep Win10 Enterprise separate from the rest of the bunch. Good luck & HTH!
0 Helpful

Go to solution
nikolaie
Level 1
Level 1
In response to Mike.Cifelli

‎06-30-2020 08:19 PM

Thanks for the quick response.  Was hoping to avoid using AD security group but it may be the only option available. Thanks again.

0 Helpful

Go to solution
manvik
Level 3
Level 3
In response to Mike.Cifelli

‎12-21-2020 09:53 PM

Is there an option to identify endpoint operating system via Endpoints:OperatingSystem condition.

direcondition.jpg

It's in the ISE posture conditions.

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎12-22-2020 05:36 AM

@manvik I would suggest testing that condition.  I can tell you that you can rely on the following reg key check to match on OS:

win_reg_chk.PNG

 

*SubKey = SOFTWARE\Microsoft\Windows NT\CurrentVersion\

HTH!

0 Helpful
Customers Also Viewed These Support Documents