Re: ISE posture Azure AD clients

manvik · ‎01-16-2024

Can ISE posture detect whether a client laptop/desktop is connected/joined to Azure Entra id (Azure AD). Earlier ISE had an option to identify whether s system is joined to AD.

Greg Gibbs · ‎01-17-2024

I'm not aware of an easy way to check for this. You would likely need to use a custom script of some sort to accomplish this. Maybe executing the command 'dsregcmd /status |findstr AzureAdJoined' and matching on the YES response.

If your Entra Joined endpoints are also using Intune, a better option would be integrating ISE with Intune and using an MDM registration/compliance check as a condition for authorization.

See this blog for more details on the Intune option:

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-azure-ad-and-intune/ta-p/4763635

manvik · ‎01-18-2024

Thanks @Greg Gibbs yes i cansee the status result as yes. when i run dsregcmd /status it even shows the tenant id. Is ISE posture script for remediation?
1. If so how can i use posture script to check complaince
2. Can you help how ISE can understand whether script result is pass or fail
3. There's a registry value at HKLM:/SYSTEM/CurrentControlSet/Control/CloudDomainJoin/JoinInfo/{Guid}, but the Guid is dynamic. Any idea how to utilize this.

Greg Gibbs · ‎01-18-2024

@manvik ISE 3.2 adds support running scripts on the endpoint. See the link in the Release Notes here:
https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/release_notes/b_ise_32_RN.html#concept_ckl_qxl_rsb

You would have to write a powershell script that checks the output and returns a successful exit code of 0 to represent compliance. I'm not a powershell expert, so I can't help with that scripting.

For remediation, you would likely have to use a text remediation or some other way to inform the user that they need to perform the Entra Join.

I'm not aware of any good way to use a registry check for this condition.

manvik · ‎01-19-2024

Thank you, let me try with scripts.