@Arne Bier Did not contact TAC yet. Could it be done with AnyConnect instead of WinSPWizard? I want client to get the certificate from ISE CA, and then to perform EAP TLS.

I don't see a lot of BYOD in my customer base, and I don't personally use it, or have much time/desire to play with this in the lab. It's always been fiddly and troublesome when new OSs are released. I think it's wise to upgrade the ISE to something more recent than 3.0 because you can't keep track of all the bugs and enhancement - best to aim higher and then work with the remaining issues that come up.

If you just have a single endpoint (or a few endpoints) then you could onboard them using the Self Provisioning Portal. But the user must have access to the ISE GUI. Users can login to the web interface of the Self Provisioning Portal with their AD creds, and then ISE will generate them a certificate they can download and install manually, along with the ISE CA certs. For remote users, they could probably enrol themselves while they are on the VPN.  As far as using AnyConnect to onboard into ISE, that's not supported or possible, as far as I know.  The other method would be to use an MDM instead of ISE.

@Arne Bier For certificate enrollments, do you mean the certificate provisioning portal where the client needs to enter all relevant certificate fields (CN...) or you had something else on your mind?

Yep that was my thinking - You don't have a lot of control over the cert creation, other than CN and MAC address. ISE will force the user to enter the same value in the CN that matches the username they used to login to the portal - so the user can't create arbitrary CNs.  But the MAC address is somewhat open - but even if it's garbage, you don't need to look at the SAN of that cert (that's where the MAC address ends up in)