NAC Agent  for Windows Clients

The Cisco NAC Agent provides the posture  assessment and remediation for client machines.

Users can download and install the Cisco  NAC Agent (read-only client software), which can check the host  registry, processes, applications, and services. The Cisco NAC Agent can  be used to perform Windows updates or antivirus and antispyware  definition updates, launch qualified remediation programs, distribute  files uploaded to the Cisco ISE server, distribute web site links to web  sites in order for users to download files to fix their system, or  simply distribute information and instructions.

Warning The NAC Agents cannot communicate  with the Cisco ISE server securely and the Cisco ISE server throws an  error when the Windows XP clients do not have the latest Windows  hotfixes and patches installed in them. You must ensure that the latest  Windows hotfixes and patches are installed on Windows XP clients so that  NAC Agents can establish a secure and encrypted communication with the  Cisco ISE server (SSL over TCP).

Ok, so if no one hurries to answer, I'll answer to both questions, the initial one and mine also.

In ISE you have two menu entries regarding posture updates:

Posture Updates (Administration > System > Settings > Posture > Updates)

and Client Provisiong Updates (Administration > System > Settings > Client Provisioning).

Posture Updates refers to AV/AS definitions updates and windows updates. By updating posture-update.xml file you're practically saying to ISE that a known AV/AS application has a new definition file that can be identified using version XYZ or built day as ddmmyy or something like that.

Client Provisioning Updates automatically updates ISE with the latest NAC Agent and Compliance Module, if available.

What does Compliance Module do? Well, it is basically the means of NAC Agent to 'know', recognize any new AV/AS application released mean time. That means that it's useless to create a posture rule that's saying that it's mandatory to have installed Avast X version, if the NAC Agent is not capable of recognize this app, because it doesn't have the latest Compliance Module installed.

What I didn't initially understood is how do you manually deploy it using Active Directory and not ISE.

The answer lies in the actual ISE - NAC Agent communication when doing posture. Although you can manually deploy NAC Agent by other means than ISE, you will also have to configure ISE for posture client provisioning with (the new) Compliance Module, so when a (already installed NAC Agent) client connects to ISE, it will automatically download the newest version of the Compliance Module that can recognize some new apps released.

By the way, NAC Agent 4.9.0.51 (Cisco's recommended version - compatible  - with ISE 1.1.3) has built-in Compliance Module 3.5.4.1, which is capable of recognising the following AV/AS apps:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/win-avas-3-5-4-1.pdf

For a complete picture of what apps are recognised along with the new version the Compliance Module, you can check

http://www.cisco.com/en/US/docs/security/ise/ComplianceModule/win-avas-3_5_5980_2.pdf

Any new announcements regarding new versions of ISE, NAC Agent, Compliance Module will be posted on ISE Release Notes page:

www.cisco.com/en/US/products/ps11640/prod_release_notes_list.html