Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1444
Views
0
Helpful
4
Replies

Windows critical patches check

Antonio Macia
Level 3
Level 3

‎03-09-2020 08:01 AM - edited ‎03-09-2020 08:13 AM

Hi,

 

How does ISE know that a Windows machine has a particular critical patch installed? I was expecting that ISE had a registry signature under the "Patch management condition" for each new patch released by Microsoft, however, it doesn't. Does ISE rely on AnyConnect to talk with the local Windows update agent to distinguish which patches are installed and their category?

 

Regards.

0 Helpful
4 Replies 4

Cristian Matei
VIP Alumni
VIP Alumni

‎03-09-2020 10:34 AM

Hi,

  

    It really depends on how you choose to do the patch management for non-compliant devices. If you integrate with SCCM , ISE can check the status with SCCM via WMI, or you can let Anyconnect do it via the OPSWAT OESIS libraries.

 

Regards,

Cristian Matei.

0 Helpful

Antonio Macia
Level 3
Level 3
In response to Cristian Matei

‎03-09-2020 11:29 AM

Thanks Cristian,

 

We currently have the condition to check only important and critical updates, however, many users complain that although their laptops are fully updated, the posture process still asking them to update Windows, so we were thinking to look for a single patch in particular to avoid this kind of issues.

Do you know why AnyConnect does not detect when a laptop is fully updated?

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to Antonio Macia

‎03-09-2020 11:04 PM

Hi,

 

   I'm not sure how you've configured ISE and AnyConnect. Here's a good document to guide you, in case you're using SCCM:

https://208.74.205.244/t5/security-documents/how-to-integrate-cisco-ise-with-microsoft-sccm-for-patch/ta-p/3725035

Try also using a stable version of AnyConnect.

   Give mode details on what exactly is not working and what is your configuration.

 

Regards,

Cristian Matei.

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to Antonio Macia

‎03-14-2020 03:25 AM

Hi,

 

    The patches to be checked that you configure on ISE, will be held on the AnyConnect client in a .json file and it does the system scanning. You ned to look in ISE, in your posture policy, to see what you tell AnyConnect to check. If you sure that the system is up to date, and AnyConnec is wrong, try patching ISE and upgrading AnyConnect.

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents