I will open TAC for sure, my deployment information is here:

Cisco ISE 2.3

AnyConnectDesktopWindows 4.5.2036.0

AnyConnectComplianceModuleWindows 4.3.122.0

I created 3 authorization profile in cisco ise : 1-compliant 2-non-compliant  3- unknown

access list on switch for redirection purpose (I use this access list in unknown authorization profile)

Extended IP access list ACL_REDIRECT
10 deny udp any eq bootpc any eq bootps
20 deny udp any any eq domain 
30 deny ip any host <cisco ise ip address>
40 permit tcp any any eq www 
50 permit tcp any any eq 443 
60 deny ip any any 

unknown DACL:

permit udp any eq bootpc any eq bootps
permit udp any any eq 53
permit ip any host <ise ip address>
deny ip any any

Non-compliant DACL:

deny ip any any

compliant DACL:

permit ip any any