Exam 350-701 topic 1 question 237 discussion

I'm struggling to find a good link on this, but seems to me that ISE will not patch an endpoint by himself, instead it relies on WSUS for this. So, A is probably incorect, and the right answer is CE. Anyone else?

It's A and C source: https://community.cisco.com/t5/security-documents/how-to-integrate-cisco-ise-with-microsoft-sccm-for-patch/ta-p/3725035#toc-hId--2070782007

I believe A is correct - A posture policy can be made with the remediation action that redirects the user to a remediation portal where they must install the MS17-010 patch before regaining full access.

anyone consider D? if your a client w tcp 445 open?? you could have been vulnerable.. file servers w tcp 445 ok.. but clients??

ISE does not intall patches , remediation policies does not install patches , Remediation policies does trigger installations by third party systems... A is malformed answer , C and E are totally correct

If you go look at the posture policy section of the admin guide (https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_client_posture_policies.html#task_DBFD37F536134843BC81C4DFEF34A8EC) you see that there is nothing in there that allows ISE to INSTALL a patch which is what it says for answer A). Can it be integrated with SCCM to invoke an action in SCCM to update with a patch? Yes. Can ISE itself install that patch? No. Answer is C and E.

Option C specifically addresses the vulnerability that was exploited by the WannaCry ransomware, which is the MS17-010 patch that was not installed on the endpoint. By configuring a posture policy to check that the endpoint patch level is met before allowing access to the network, the organization can ensure that all endpoints have the necessary patches installed to mitigate the risk of this ransomware. Option E is still a good solution in general to ensure that endpoints are patched in a timely fashion, but it does not specifically address the vulnerability that was exploited by the WannaCry ransomware.

https://community.cisco.com/t5/network-access-control/ise-posture-windows-updates/td-p/3575621

ISE wouldn't know how to patch an Windows OS. It needs integration with some patching system.

ICE can check for patches not install them in the end user's OS

A and C is correct. SCCM will integrate to do the patching as others mentioned and E is only not an option as it asks what can be done to mitigate THIS ransomware infection and not best practices overall.

People are saying patching isnt possible from ISE but the doco show it is configurable. https://community.cisco.com/t5/security-documents/how-to-integrate-cisco-ise-with-microsoft-sccm-for-patch/ta-p/3725035#toc-hId--2070782007 Step 1 Go to Workcentre-> Posture-> Policy Elements-> Condition-> Patch management. Add a patch management condition to check for up-to-date patch status. This conditions checks if there are any pending patches to be installed in the SCCM client.

I'd go with A and C here.

Hello TEAM, Well you want to check if a specified KB its patched in your system, okay nice the Answer is: A. Configure a posture policy in Cisco Identity Services Engine to install the MS17-010 patch before allowing access on the network. but I think the appropriate answer for this is C. Configure a posture policy in Cisco Identity Services Engine to check that an endpoint patch level is met before allowing access on the network. Well that's means A and C its the same but C its more completed answer. So the answer is C and E

A: Patch will be installed by ISE NAC agent on endpoint C: ISE checks the endpoint first if that is compliant (NAC agent) B: Make no sense "profiling policy"

A+C is correct, just confirmed

A and C for me ....question states for THIS expolit