08-05-2024 11:17 PM - edited 08-07-2024 04:36 AM
Hi all,
Same problem happened with 1218 version few months ago. I can not ask to my users to downgrade his windows 11 so i put this requirement as optional until Cisco upgraded the ISE and included v1218 support , but now it is happending again.
Is there any other way to check windows update compliance without wait until Cisco upgrade ISE to support Windows update agent 1219?
checking some regedit value reflecting windows security state, by example?
TIA
08-06-2024 08:21 AM
Do you have the latest Posture Feed update installed?
08-07-2024 02:12 AM - edited 08-07-2024 02:16 AM
Yes, the latest posture feed already include support for Windows update agent 1219.x , but it needs upgrade compliance module to 4.3.4164.6145.
Some of our users didn't have admin rights and couldn't upgrade the module and we have to upgrade manually, this is why i am looking for an anternative method to check windows update running.
08-07-2024 06:11 AM
08-08-2024 12:00 AM - edited 08-08-2024 01:49 AM
@ahollifield , updating via ISE works fine in almost all computers, with admin users and with no admin users, but some computers fails, and in those cases, only if a admin user log in the computer the compliance module update fine.
08-12-2024 01:40 AM
This weekend Microsoft upgraded again Windows 11 and now use Windows Update agent 1220.x, but cisco ISE is not supporting yet.
08-07-2024 02:15 AM
The predefined Cisco Conditions -> Service -> pc_AutoUpdateCheck working fine to check windows update running without check a specific version; but i a still need check if the windows has updated his critical patches
08-20-2024 07:56 PM
@Fernando Segura support for Windows update agent is now available: Support Charts for Cisco Secure Client Windows Compliance Module v4.3.4214.8192
Please note you will need to install the latest compliance module version 4.3.4214.8192: Secure Client 5 Release ISEComplianceModule. As well as update the posture feed in ISE.
08-20-2024 11:34 PM - edited 08-20-2024 11:50 PM
Thanks you. I've updated and check and works fine. I've configured different rules for Win10 and Win11. Now Win11 devices will upgrade inmediately from ISE when new module is available, and Win10 devices will be upgraded by SCCM ( to aovid the need of users with admin privileges to install the compliance module updated).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide