Have the root CA (and intermediate CAs if any) of your ISE admin cert imported in your client's trusted store. Both admin and portal certs are presented during Posture flow.
You absolutely don't need AD for that... Just use ISE to register your guests and it will provide credentials that they can use to login (via guest portal) against ISE' Guest directory.
Arne,
Can you elaborate more about the DHCP option? do we know what DHCP class id specifically for Windows 10? I have seen both versions send "dhcp-class-identifier = MSFT 5.0" and by default ISE uses this attribute (dhcp-class-identifier CONTAINS ...