Showing results for 
Search instead for 
Did you mean: 

New Hall of Fame Member-Peter PAluch

How to Integrate Cisco ISE with Microsoft SCCM for Patch Management and MDM Flow


Deploying Cisco ISE with Microsoft SCCM



Nidhi Pandey, Technical Marketing Engineer

October 2018



Table of Contents





About Cisco Identity Services Engine (ISE)


                          Figure 1: Cisco Identity Services Engine


Cisco ISE is a leading, identity-based network access control and policy enforcement system. It is a common policy engine for controlling, endpoint access and network device administration for enterprises. ISE allows an administrator to centrally control access policies for wired, wireless, and VPN endpoints in a network.

ISE builds context about the endpoints that include users and groups (Who), device type (What), access time (When), access location (Where), access type (Wired/Wireless/VPN) (How), threats, and vulnerabilities. By sharing vital contextual data with technology partner integrations and the implementation of the Cisco TrustSec® policy for software-defined segmentation, ISE transforms a network from a conduit for data into a security enforcer that accelerates the time-to-detection and time-to-resolution of network threats.


About This Guide

This guide is intended to provide technical guidance to design, deploy and operate Cisco Identity Services Engine (ISE) with Microsoft SCCM Server. This document focuses on integration of ISE with SCCM so that ISE can retrieve compliance information from SCCM server and leverage the information to control network access to the user’s Windows device.

This document also shows how Cisco AnyConnect Secure Mobility client (aka AnyConnect) can be integrated with Cisco Identity Service Engine and System Center Configuration Manager (SCCM) for patching Microsoft Windows platform with windows patches.

The first half of the document focuses on the planning and design activities, the other half covers specifics of configurations and operations. There are four major sections in this document. The initial, define part talks about defining the problem area, planning for deployment, and other considerations. Next, in the design section, you will see how to configure SCCM server to communicate with Cisco ISE to make policy decision based on the compliance information.  Third, in the deploy part, the various configuration and best practice guidance will be provided. Lastly, in the operate section, you will learn how troubleshoot and monitor.




ISE supports Microsoft's System Center Configuration Manager (SCCM) as a partner MDM server for managing Windows computers. AnyConnect  and ISE integration with SCCM client, provides the ability, to verify if the SCCM client is pending install of patches (as classified by Microsoft®)


What is SCCM?

SCCM is short for System center Configuration Manger. SCCM is a software management suite provided by Microsoft that allows users to manage a large number of Windows based computers. SCCM features remote control, patch management, operating system deployment, network protection and other various services. It also provides administrators with the tools to control all aspects of their IT system while keeping costs low.

 Use Cases of ISE with SCCM

ISE can perform a policy check with SCCM by following methods 

  • Using AnyConnect for posture (leveraging OPSWAT libraries)
  • ISE checking status with SCCM as an MDM Server using WMIFigure2.png

 Figure 2


SCCM Workflow For MDM Flow

ISE is able to retrieve information from the SCCM server about whether a device is registered, and if it is registered, is it compliant. The following diagram shows the workflow for devices managed by SCCM.


                                                            Figure 3

 When a device connects and a SCCM policy is matched, ISE queries the SCCM server specified in the authorization policy to retrieve compliance and last logon (check-in) time. With this information, ISE updates the compliance status and lastCheckinTimeStamp of the device in the Endpoint list.

 If the device is not compliant or not registered with SCCM, and a redirect profile is used in the authorization policy, a message is displayed to the user that the device is not compliant or not registered with the SCCM. After the user acknowledges the message, ISE can issue a CoA to the SCCM registration site. Users can be granted access based on the authorization policy and profile.


SCCM Workflow for Patch Management

SCCM is the Microsoft’s Patch Management Solution,which manages patch updates on Microsoft endpoints. The SCCM server deploys a ‘Configuration Manager Client’ on the endpoints that it controls. This client is responsible for notifying the end-user that there are patches that are missing on endpoint. The client also lets the user install the patches that are deployed at the server.


The SCCM server does a Software Update Scan at configured intervals, which causes it to probe for the patch update status of the endpoints administered by the SCCM server. The SCCM server then notifies the SCCM client that there are patches/updates that need to install. (If there were patches uninstalled manually on client or there are new patches/updates deployed on the Software Update Groups on the SCCM server).





ISE Integration with SCCM for MDM Flow


Communicating Ports

Microsoft SCCM and ISE uses TCP 135, TCP 445 to communicate with each other. This is to enable the communication over SMB port. However, SMB port can be disabled if the registry keys are added manually ( Step 3 in Deploy section )


Use Cases for ISE MDM support for SCCM

SCCM Integration supports the following use cases for Managed devices


  • Managed Device which is NOT yet registered with SCCM Server
  • Managed Device which is registered with SCCM Server but NON-Compliant
  • Managed Device which is registered with SCCM Server and Compliant


Managed Device which is NOT yet registered with SCCM Server



                                    Figure 4

Here is an example of a flow of managed device which is not registered with SCCM. When a Windows device connects to the network, ISE does a WMI query to SCCM server to check if the device is registered or not. SCCM server responds back with flag set to 0 indicating that the device is not registered. The endpoint can be notified about the registration status and can be redirected to register the device. From ISE, CoA( change of Authorization) is issued and appropriate policy is assigned to the endpoint. 


Managed Device which is Non-Compliant


                                               Figure 5

Here is an example of a flow of managed device which is registered with SCCM and is non-compliant.The device connects to the network. Once the the user is authenticated, ISE does a WMI query to SCCM server to check the ‘last checkin’ time-stamp and the compliant status based on the SCCM policy. SCCM server responds with the status as non-compliant. From ISE change of authorization is triggered and device is given limited access or blocked access.


Managed Device which is registered with SCCM server and Compliant



Figure 6

 Here is an example of the flow of managed device which is registered with SCCM server and is Compliant. When a Windows endpoint connect to the network, ISE sends WMI query to SCCM server to check the status to the endpoint. SCCM server responds back with flag set to 1 if the device is compliant and days since last check in value. Based on this information, ISE triggers a CoA and assigns compliant access for the device.


ISE Integration with SCCM for Patch Management


                                                Figure 7

 ISE 1.4 onwards, We have the ability to integrate with SCCM patch management solution to verify if the endpoint has any pending patch installations by Microsoft, as mentioned in the SCCM client.

 In case if there are patches available for install in the SCCM client, Anyconnect client can trigger the SCCM client to install the patches before providing full network access to the endpoint.





Preparing for ISE Integration with SCCM for MDM Flow

ISE communicates with the SCCM server using WMI. WMI must be configured on the Windows server running SCCM.


Configuration Changes on the Microsoft SCCM Server

This section covers the changes which are to be done in the Microsoft SCCM server.


Step 1     Create a user within the Active Directory domain that will be used by ISE to communicate with SCCM                     and  issue queries about the status of authenticating machines.


  1. Open Active Directory Users and Computers administrative tool.
  2. Right-click on the OU container where you want to create the new user and select the option to create a new user.  You should see the following dialog box.


Figure 8



 Figure 9


  1. Fill in the information as necessary.  Select Next.  In this example, we are using the “ise_sccm_user” logon name.
  2. Create a password that adheres to your organization’s security policy.
  3. Uncheck the option “User must change password at next logon”.
  4. Click Next
  5. The new user is now created.  If you check the properties of the user, you will see that the user is only a member of the Domain Users security group in AD.


                                                Figure 10

Step 2               

Add the new user created in Step 1 to the “SMS Admins” security group on the Microsoft SCCM Server.

 On the SCCM Server, open the Computer Management administrative tool

  1. Select Local Users and Groups.
  2. Select Groups.
  3. Locate the “SMS Admins” security group.     

                                      Figure 11 

4. Double click on the “SMS Admins” security group. This will open up the dialog box showing which users and groups are a member of this local security group.

             Figure12.png                                                                         Figure 12

5. We need to add the user created for ISE to this group.  Select the “Add…” button.

          Figure13.png                                                                            Figure 13

6. Ensure the location selected is the Active Directory domain.  In this example, the domain name is “home.local”.

7. Enter the logon name of the account created in Step 1 and then select the “Check Names” button. The user name should now be underlined, indicating that the server was able to locate the object in the AD domain.

8. Select “OK”.

        Figure14.png                                                                           Figure 14


 9. You should now see that the new user is a member of the “SMS Admins” local security group.

10. Click “Apply” and “OK” to save the settings and close the dialog box.


Figure15.png                                                                          Figure 15


Step 3               

Configure the Distributed Component Object Model (DCOM) to allow the new user to access, launch, and activate the objects remotely.

  1. On the SCCM Server, open Component Services administrative tool.
  2. In the left pane, expand “Component Services” and “My Computer”.  You should see something similar to the screenshot below.

     Figure16.png                                                                   Figure 16

3.  Expand the “DCOM Config” section and there will be a long list of objects.

Manual configuration to add the registry keys in SCCM server. The steps below are needed if the SMB port is blocked

4.  You will need to do the following to make the registry keys to appear.  These steps need to be done on the         SCCM CAS/Primary server in which ISE is trying to connect to.

      Adding permission to modify the registry keys

        a. The original owner of the registry keys is TrustedInstaller which will not allow you to make modifications to those keys. You will need to take ownership and grant yourself full control full access you can then modify              the keys. These were the registry keys that had to be add/modified in order for the DCOM to appear. You              will get below error if you do not have permissions.                   


                               Figure 17

  b. Close this error dialog box and right click on the registry key where you want to make the changes and click on Permissions.


                                                                              Figure 18

  c. In the Permissions box, under its sole security tab, highlight your own Administrators account and then             check the box under Full Control – Allow. Click Apply > OK.

     if you see security warning – Unable to save permission changes, do the following.Figure19.png

                                    Figure 19

 d.  Open the Permissions windows again and click on Advanced button instead, and click on the Owner tab.

                                                                         Figure 20

      e.  Do you see another owner like say,trustedInstaller? If so, change owner to your Name.Click Apply > OK.

NOW again in the Permissions box, under its sole security tab, highlight your own Administrators account      and then check the box under Full Control – Allow. Click Apply > OK.


       Adding the registry Keys 

        The information that you need to import into the registry is:




                             Figure 21


       "DllSurrogate"="  "

        Manually add the key "{76A64158-CB41-11D1-8B02-00600806D9B6}" under AppID

                             Figure 22


       "DllSurrogate"="  "

         Here, you will have to manually add the key -\{76A64158-CB41-11D1-8B02-00600806D9B6}


                                                  Figure 23

       5.  Locate the object named “{76A64158-CB41-11D1-8B02-00600806D9B6}” as shown below.

            Right-click on the object and select “Properties”.  A dialog box will open.

            Select the “Security” tab.


                                                  Figure 24

      6.   In the “Launch and Activation Permissions” section, select the “Customize” radio button.

      7.   Now click on the “Edit…” button in that same section.  Another dialog box will open showing the                            permissions.

Figure25.png                                                                            Figure 25

     8.  Click the “Add…” button to add the new user for ISE.

     9.  In the new dialog box, ensure that the location is set to the AD domain.

    10. Enter the new username created in Step 1 and select “Check Names”.


                              Figure 26


                              Figure 27


     11.  Ensure that the username is found and is now underlined, indicating that the account is valid.

     12.  Click “OK”.

     13.  Now select “Allow” for all permissions while the new account is selected.  The end result should look similar              to the following screenshot.

Figure28.png                                                                   Figure 28


              Select “OK” on all dialog boxes.


Step 4         

By default, Active Directory users do not have permissions for the Execute Methods and Remote Enable. You can grant access using the wmimgmt.msc MMC console.


  1. Click Start > Run and type wmimgmt.msc.
  2. Right-click WMI Control and click Properties.
  3. Under the Security tab, expand Root and choose CIMV2.
  4. Click Security.
  5. Add the Active Directory user, and configure the required permissions as shown below.


              Figure 29


Adding SCCM server as MDM in ISE

 Step 5     

Configure ISE to connect to the SCCM server, test the connection, and add the SCCM  server as an available MDM server in the ISE system.

  1. Login to the ISE Primary Admin node web interface
  2. Select Administration -> Network Resources -> External MDM


     Figure 30 

 3. Click on the “Add” button to add a new MDM server.

                              Figure 31

4. The “Name” field can be any name you want to reference the MDM as when creating policies within            ISE.  The name cannot contain any spaces.  In this example, we are using “sccm”.

5. The “Server Type” must be set to “Desktop Device Manager” for SCCM.

6. Enter the Fully Qualified Domain Name (FQDN) of the SCCM server or the IP address that is reachable from the ISE Admin node.

7. For the “Site or Instance Name”, please use the SCCM Site Name.

Figure32.png                                                                      Figure 32

8. The username will be the user account that was created in Step 1.  It is important to preface the username with the domain name.  For example, “SCCM\Isesccmuser” where “SCCM” is the AD domain name.

9. Enter the password for the user account created in Step 1.

10. Select the “Test Connection” button at the bottom to test the connection to the SCCM server.  If the connection is successful, you should see a dialog box stating it was successful

11. Click the “OK” button on the success dialog.

12. Change the “Status” to “Enabled”.

13. Click “Submit” to add the new SCCM server to ISE as an MDM.

14. Verify that you can see the SCCM server added to the MDM servers Page .


New MDM Attributes in ISE for SCCM server

  1. MDM.Server type: MDM (MobileDeviceManager), DM (DeviceManager)
  1. MDM.lastCheckinTimeStamp: last logon/checkin timestamp for device on SCCM
  1. MDM.DaysSinceLastCheckin: Number of days since user last checked in or synched the device with SCCM. Min value = 1, Max value=365 If user specifies a value outside this range an error will be displayed
  1. MDM.UserNotified: Yes/No – Indicates if user has been notified (about device not registered/not compliant) and acknowledged the message.


Policy Set Example:

The following table shows set of policies to support SCCM




Preparing for ISE Integration with SCCM for Patch Management Flow


Supported Versions

Patch Management posture conditions and remediation actions are supported with ISE 1.4 and above and AnyConnect 4.1.x and above.


Patch management Conditions

Installed Check

This check evaluates if supported patch management software client is installed.

The condition Passes when, finds a supported PM client software (as in support charts), installed on endpoint. Fails when, does not find a supported PM client software installed on endpoint


Enabled Check

This check evaluates if supported Patch Management client software is enabled

The condition Passes when it finds that supported patch management client services are running and Fails otherwise.


Up-to-date Check

This checks for the SCCM Client’s patch update status. The check passes when the SCCM client installed on the endpoint indicates that there are no pending  patches/updates to be installed. The PM up-to-date check looks for patches (classified by Microsoft), missing on the endpoint.


The condition can be configured to check for All/ Critical and other categories of patches to be installed on the client.

Figure33.png                                                                           Figure 33

When SCCM client is notified by the SCCM server about the missing patches, it prompts user with the notification icon highlighted in the screenshot below.

 Figure34.png                                                                           Figure 34


The PM up-to-date check will deem the client COMPLIANT, if the SCCM Client does not have any notifications from SCCM server that there are patches pending for installation.


The PM check will deem the client NONCOMPLIANT, if the SCCM Client has got notifications from server that there are pending patches / updates for install and the user has not yet installed those critical patches.


Patch Management Remediation

Patch management remediation can be configured for Manual and Automatic remediation option.



Remediation action starts the required services for the supported PM client software.


Install Missing Patches

This directs the installed and supported PM client software, to download the  patch or patches that were found while evaluating the PM condition.


Activate Patch Management Software GUI

Displays the patch management software user interface. Follow the instructions on this page to change the software settings or initiate software updates.


Configuration steps for Patch Management condition and Remediation action on ISE

Step 1        

Go to Workcentre-> Posture-> Policy Elements-> Condition-> Patch management. Add a patch management condition to check for up-to-date patch status. This conditions checks if there are any pending patches to be installed in the SCCM client.



                                                                          Figure 35                       

Step 2        

Create a Patch Management Remediation action to trigger the SCCM remediation if the condition configured in step 1 fails. Go to Workcentre-> Posture-> Policy Elements-> Remediation-> Patch Management to create the remediation action. Select the appropriate SCCM client version installed on the client. The screenshot below is the remediation action for any pending critical patches.  Figure36.png                                                                              Figure 36 

Step 3        

Create a requirement for the condition and remediation action created.

                                                                              Figure 37

Step 4        

Create a Posture Policy to enforce it for Windows endpoints.


Steps to Validate the Patch Management solution with ISE

Step 1

On the SCCM server, configure a software update group containing at least 1 CRITICAL patch from Microsoft for the target endpoints. And deploy this software update group for target group of computers. Please refer to screenshot below.


                                                                            Figure 38

Step 2        

On the endpoint, verify that SCCM client has missing patches, at least 1 CRITICAL patch should be missing for AnyConnect to remediate the SCCM client. Please note that the popup is shown only when SCCM clients detects missing patches on end point.


                                                            Figure 39


Step 3        

At this point install Anyconnect (VPN and System Scan Modules), and connect to NAD, which is managed by ISE server on which Patch management policy is enforced.


Step 4        

At this instant, remediation is triggered by AnyConnect ‘System Scan’ component and in the process SCCM client downloads the missing critical patches required by the SCCM server’s Software update group.


Figure40.png                                                                     Figure 40 

Step 5        

If a reboot is required after remediation to complete, please reboot the endpoint. Windows pop will show up on the taskbar indicating that a Reboot is required to update patches.


Note: Unless the system is rebooted the check for up-to-date patches will fail, and system scan will show Non-Compliant after the remediation timer expires, if reboot is still pending.


After reboot, when Anyconnect connects back to NAD, it evaluates the PM condition for ‘up-to-date’ checks again and finds all patches required my SCCM installed on endpoint. At this point the Patch management condition passes and endpoint is deemed compliant. Please refer to screen shots below.


                                           Figure 41



Figure 42





SCCM MDM Flow Troubleshooting

Testing the connection to SCCM server manually

Windows has WBEMTest tool for WMI calls testing, which is built in Windows utility and is extremely useful for permissions and network troubleshoot.


Step 1               


                                                                          Figure 43

Step 2    

                                                                        Figure 44

Step 3    



                                    Figure 45


Step 4



                                    Figure 46



Sample query sent from ISE to SCCM Server


select SMS_R_System.Name, SMS_G_System_CI_ComplianceState.CI_UniqueID, SMS_G_System_CI_ComplianceState.ComplianceState, 

SMS_G_System_CI_ComplianceState.LocalizedDisplayName, SMS_G_System_CH_ClientSummary.LastPolicyRequest


SMS_R_System left join SMS_G_System_CI_ComplianceState 

on SMS_G_System_CI_ComplianceState.ResourceID = SMS_R_System.ResourceId 

left join SMS_G_System_CH_ClientSummary 

on SMS_G_System_CH_ClientSummary.ResourceID = SMS_R_System.ResourceId 

left join SMS_G_System_NETWORK_ADAPTER 

on SMS_G_System_NETWORK_ADAPTER.ResourceId = SMS_R_System.ResourceId 

where (

SMS_R_System.MacAddresses like ‘%MAC_ADDRESS%'


)   AND

   SMS_G_System_CI_ComplianceState.CI_UniqueID='ScopeId_5E0BA349-421B-4663-8E5F-3D2C408A3FA5/Baseline_28ff969f-cc82-       4246-a15d-214d1489b076’



Problem with User Account or Security Group Membership

ISE Error Message :  "MDM Server API error  Connection failed to SCCM server host-<ip> and site -<site name>. Access is denied. Please check credentials, permissions and configure the Windows machine for DCOM access : check if SCCM server is reachable: JIException message = Access is denied, please check whether the [domain-username-password] are correct. Also, if not already done please check the GETTING STARTED and FAQ sectionin redame.htm. They provide information on how to correctly configure the windows macine for DCOM access, so as to avoid such exceptions. [0x000000005]"

                                                            Figure 47 

Resolution – Ensure that the account is valid, not locked out, and that the password works.  This can be accomplished by attempting to login to the AD domain using the account.  If the login works, verify that the user account is a member of the “SMS Admins” local security group on the SCCM Server.  Any of these issues will result in the error message shown above.


Problem with DCOM Permissions

ISE Error Message: "MDM Server API error Connection Failed to the SCCM server host - <IP> and site -<site name>. access is denied. Please check credentials, Permissions and configure the Windows machine for DCOM access : Check if SCCM server is reachable : JIExceptionmessage = Access is denied. [0x80070005]"

                                                                       Figure 48


Resolution – Follow the procedures in above to ensure that the DCOM object has been configured to allow the ISE user account the ability to access, launch, and activate the objects remotely.


Troubleshooting Connectivity Issues from ISE to SCCM server

Step 1   

Enable Packet Capture from ISE from Operations- Troubleshoot as below-



Figure 49



SCCM Patch Management Flow Troubleshooting


SCCM Logs to Monitor


 C:\Windows\CCM\Logs\ScanAgent.log (Scan requests for software updates)

 C:\Windows\CCM\Logs\WUAHandler.log (Status of patch installation)

 C:\Windows\CCM\Logs\UpdatesStore.log ()patch details that are being installed during remediation)


Some of the IOS show and debugging commands that are handy to understand and troubleshoot ISE operations are as follows:

  • show running-config aaa
  • show authentication sessions
  • show dot1x all
  • show epm statistics mac <MAC_Address>
  • show aaa servers
  • show device-sensor cache all
  • debug radius
  • debug radius authentication
  • debug dot1x all
  • debug epm all
  • debug mab all
  • debug eap events


ISE Troubleshooting


Refer the following links for details on ISE troubleshooting:

How To: Troubleshoot ISE Failed Authentications & Authorizations

Troubleshoot and Enable Debugs on ISE

Troubleshooting Cisco's ISE without TAC

Troubleshooting TechNotes





Very well done!


Nice work - question: is the MDM/SCCM integration on ISE required? Can it be used without it to still validate if patches are missing? Per TAC - the whole MDM integration wasn't needed for patch validation. So that once anyconnect client with posture module connects via VPN, ISE will wait for client to talk to SCCM server and if it detects that the client received missing patches pop-out it'll react.


Cisco Employee
2 separate use cases

Anyconnect integration is with SCCM as a posture agent check where

MDM has nothing to do with anyconnect. It runs as its own app. You need to integrate MDM with ISE if you want to do enforcement and segmentation. Example if unenrolled/quarantine due to missing patches then limit access. This requires communication between ISE and the MDM to pass the attributed to setup associated authorization rules

Cisco Employee

Adding to what Jason says, 

Patch management flow is part of Posture. and as you mentioned, if the patch management condition is configured, anyconnect agent checks with SCCM client in endpoint to verify the missing patches and triggers the install.


With MDM flow, you can check the compliance of an endpoint based on the checks configured in SCCM server and authorize the user for appropriate access accordingly. Here ISE directly queries the SCCM server.

so 2 different use cases. you do not need to integrate SCCM server for MDM flow to use the patch management flow. 





Great - thank you for your comments/feedback and clarification. As a follow up to the SCCM/ISE (without MDM) use case, will ISE posture/anyconnect client actually trigger the client to CHECK with SCCM during posture unknown state OR does it solely rely on the client's ability to check (pending what GPO / how often timer is configured).


Use case 3: patching based on 'registry key' . Possible to check patch based on registry value key and then have remediation install ALL missing patches? Would this work or again - based on my 1st comment - can ISE anyconnect client trigger sccm client to check with sccm server because its missing certain condition (in this case reg key for patch).


Thank you.

Cisco Employee

Anyconnect posture agent solely depend on what the SCCM client shows as pending. It cannot recheck with SCCM server. if the client shows no patch as pending , the posture status will be compliant.

Registry check is a seperate check and cannot be clubbed with SCCM patch management check. You can create registry conditions to check for an existing key/value.



CreatePlease to create content
Content for Community-Ad

Blog-Cisco Community Designated VIP Class of 2019