I know the most advanced features and remediation features require premium and advanced endpoint assessment licensing, but what is the most you can do to verify only "approved" managed workstations authenticate successfully through the ASA when using only the most basic Essentials licensing?

I have heard some say that you can't do anything without upgrading to extra cost licensing.

I thought you are supposed to be able to screen registry keys, existence of expected files and verify running processes that mandatory software would use even with the basic hostscan.

If we can at least do that, instead of directly checking for antivirus with an advanced hostscan, couldn't we at least check for the existence of files that the approved antivirus products must have to function and that the required antivirus processes are actively running and also verify that registry keys related to approved active directory domain membership are present?

Those basic checks wouldn't prove that the AV is up to date, but it would at least screen out random user's personal PCs they somehow installed the AnyConnect client on because those unauthorzed computers wouldn't have the corporate antivirus products installed at all and and are not members of any of our domains.

Can this be done with the basic Essentials licensing?

Anything else useful that can be done to screen connecting computers without upgrading licensing?