Configure posture policy

tronnq · ‎04-10-2026

Hello everyone, I currently have a question regarding the Compound condition feature in Cisco ISE.

Suppose I have two conditions:

Check Windows patch compliance — if the device is missing patches, it will be granted a 1-day grace period.
Check whether the device has antivirus (AV) installed — if not, it will be blocked immediately.

If I configure a compound rule combining these two conditions using an AND operator, does that mean the conditions will be evaluated sequentially?

Is there a way to combine them using a compound condition so that the AV check is evaluated first, followed by the Windows patch check? In other words, if condition 1 (AV check) matches, the device will be blocked immediately without evaluating condition 2 — is that possible?

Kasun Bandara · ‎04-10-2026

@tronnq hi, policies are running from top to bottom. in this case i suggest you use condition 2 as 1st policy with 'OR' operator with condition 1 as second policy.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

tronnq · ‎04-15-2026

Hi,

This is my situation, we have 2 posture policy as image, rule check_patch have grace periods. If we check posture on machine, policy always allow connection for grace periods. Even though the version on that machine is wrong and AV is missing.

ahollifield · ‎04-15-2026

Why not use MDM-based posture instead?

tronnq · ‎04-15-2026

Hi bro, I’m trying to verify whether this is a limitation of ISE. Because when checking these two conditions, ISE always prioritizes the grace period, even though both conditions on the device are failed.

tronnq · ‎04-15-2026

Hi guy,

I see on the ISE has Dictionary Attributes -> posture, but why I can see it in configure authorization policy?