I have a question regarding opening up the clients to Microsoft updates. Before the clients are compliant they are only allowed access to the ISE server and dns/dhcp servers. Does that mean I have to modify the redirect ACL in the ASA to allow the Microsoft update servers or DACL from ISE? Also, Microsoft only provides FQDNs for the update servers. They do not provide any IP addresses and they also use wildcards. How can this be implemented in the ACLor DACL? Please advice.
Depending on the version of ASA code you are using, you could probably use the below guide and then have ISE reference the ACL while the endpoint is in remediation.
