Hi,

I have a customer with a two-node ISE deployment (version 3.1.0.518 - Patch 5) with posturing for Windows Patching.

I have an issue especially when they rollout Windows Patching, this can cause a lot of users to become non-compliant for an extended period of time and this impact them being able to do their work.

In the "Posture Policy" under "Policy Options", I have enabled Grace Period for 8 hours with notification at 70%. I was under the impression with Grace Period that this would allow them to access the network allowing their devices to become compliant within this period. Patches were rollout out last night and a user had no access to the network when he was non-compliant.

For "Posture Lease" I have the following:

• Perform posture assessment every "1 day"
• Cache Last Known Posture Compliant Status - Enabled
• Last known Posture Compliant State "18 hours"

With this, I was expecting that Posturing would start for all users and if non-compliant, Grace Period would allow them on the network. (Since after Covid, users are only in the office for about 2-days per week).

This "18 hours" is probably no longer applicable.

For this, I have a few questions: 

• What would happen if I extended the Last Known Posture Compliant State from "18 hours" to "7-days"?
• Would Posturing continue to scan for users every day as instructed by the Perform posture assessment every 1 day check?
• Would Grace Period then check if the user has been complaint within the last 7-days and if they are, allow them onto the network for 8 hours in order to allow the device to become compliant? Does extending the cache to 7-days impact the daily scan?
• If the device does not become compliant within the 8 hours, does it check the cache and if the device is sill in the cache (7-days), do it start another Grace Period of 8 hours?

Hope all this makes sense?

Thanks

Anthony.