Field Notice: FN – 72552 – Identity Services Engine: Connections To Microsoft Endpoint Configuration Manager Might Fail After The March 14, 2023 Microsoft Security Patch Is Installed – Workaround Provided

Problem Description
For all wired, wireless, and VPN deployment scenarios, the Cisco Identity Services Engine (ISE) for Mobile Device Management (MDM) solution deployments might no longer be able to connect and obtain compliance information from the Microsoft Endpoint Configuration Manager (MECM) after the March 14, 2023 Microsoft security patch is installed.

Background
Cisco ISE uses a Windows Management Instrumentation (WMI) query to obtain endpoint registration and compliance status from the MECM server. This query requires authentication with the MECM server. Microsoft uses Distributed Component Object Model (DCOM) for communication between software components of networked devices. As part of security hardening, the Microsoft security patch update released on March 14, 2023 will deprecate the low level authentication that is required by Cisco ISE. For MDM solution deployments only, this causes the connection to the MECM server to fail and compliance information will not be obtained. The security hardening changes are enabled by default and there is no ability to disable the security hardening changes after installation of the Microsoft security patch. ISE posture functionality with the Cisco AnyConnect Secure Mobility Client is not affected by the issue described in this field notice. Additional information for the March 14, 2023 Microsoft security patch update can be found in Manage changes for Windows DCOM Server Security Feature Bypass. Note: MECM was previously known as System Center Configuration Manager (SCCM).

Problem Symptom
After the March 14, 2023 Microsoft security patch is installed, the Cisco ISE MDM solution will not be able to retrieve endpoint attributes and compliance information. The integration status for on-prem MECM is shown as “Enabled” (ISE > Administration > Network Resources > External MDM). Alarms that state “External MDM Server Connection Failure” are shown in ISE. Using “Test Connection” in the ISE MDM server settings results in an error that states “Connection to server failed with: MDM Server API error” and a message that indicates “Access is denied” and “Configure the Windows Machine for DCOM Access” is displayed.

This advisory is available at the following link:
https://www.cisco.com/c/en/us/support/docs/field-notices/725/fn72552.html