Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4024
Views
1
Helpful
1
Replies

ISE posture - Windows updates

Go to solution
mafattor
Cisco Employee
Cisco Employee

‎12-20-2017 09:31 AM

Hi,

a customer is testing ISE 2.2 with posture analysis, his objective is to check the windows OS levels and patch for non internal users.

These users are external contractors, with a Windows PC. The customer is going to mandate the installation of the Anyconnect posture module.

After some testing the customer is discovering that the posture check will always end in a not compliance status, forcing the client  to always update with Windows Updates Server (WSUS) but in this case they don't manage it because these PCs are not internal, this is a problem.

this is also described here:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/119214-configure-ise-00.html

Is this "dummy config" still the same also for newer versions?

Is there a workaround to let the external PCs to complete the posture and update the patch level or OS by them selve?

Is there any way to automatically check the the latest Windows Patch is installed on a unmanaged PCs?

thanks

Kind Regards

Mauro

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎12-21-2017 10:54 AM

Remediation for WSUS is to contact either Managed Server or Windows Server and request updates.  Since the clients are not managed by you, they would need access to Microsoft Server during remediation and must also assume SCCM is configured properly.  If using Windows Severity as condition, this means that SCCM client will check with SCCM server to determine if compliant.  If use Cisco Rules, then you specify specific hotfix conditions defined in ISE.  In either case, SCCM remediation assumes connection to an SCCM server.

An alternative is to provide text which informs user of missed conditions via Cisco Rules.  Trying to enforce compliance policy on unmanaged endpoints will have some challenges since SCCM config is not centrally managed by managing organization.

Craig

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Craig Hyps
Level 10
Level 10

‎12-21-2017 10:54 AM

Remediation for WSUS is to contact either Managed Server or Windows Server and request updates.  Since the clients are not managed by you, they would need access to Microsoft Server during remediation and must also assume SCCM is configured properly.  If using Windows Severity as condition, this means that SCCM client will check with SCCM server to determine if compliant.  If use Cisco Rules, then you specify specific hotfix conditions defined in ISE.  In either case, SCCM remediation assumes connection to an SCCM server.

An alternative is to provide text which informs user of missed conditions via Cisco Rules.  Trying to enforce compliance policy on unmanaged endpoints will have some challenges since SCCM config is not centrally managed by managing organization.

Craig

0 Helpful
Customers Also Viewed These Support Documents