Hi,

Since AnyConnect ISE posture is the agent for compliance check, so it is important that process/service of this posture module  is not allowed to kill/stop by users. I know we may rely on AD user permission so that normal AD users have not enough permission to do that. But besides that, is there a way to make it by the setting of AnyConnect itself, not rely on AD permission.

I found below possible solution of windows lockdown. But it does not explicitly mention that if ISE posture module supports lockdown.

1. Has anyone made it before?  If we are able to use setting windows lockdown for ise posture module, could anyone provide details of how to do that(probably a Microsoft guide)

2. What is the cisco recommended solution for this requirement?

Setting Windows Lockdown—Cisco recommends that end users be given limited rights to the Cisco AnyConnect Secure Mobility Client on their device. If an end user warrants additional rights, installers can provide a lockdown capability that prevents users and local administrators from switching off or stopping the AnyConnect services. You can also stop the services from the command prompt with the service password.

The MSI installers for VPN, Network Access Manager, Web Security, Network Visibility Module, and Umbrella Roaming Security Module support a common property (LOCKDOWN). When LOCKDOWN is set to a non-zero value, Windows service(s) associated with that installer cannot be controlled by users or local administrators on the endpoint device. We recommend using the sample transform that we provide to set this property, and apply the transform to each MSI installer that you want to have locked down. You can download the sample transforms from the Cisco AnyConnect Secure Mobility Client software download page.

many thanks in advance.