Having a problem where I have Windows 7 and Windows 8.1 clients connecting to the network via wireless, they already have Anyconnect 4.3.x installed with ISE posture checking for AV installed.  When the AuthZ rule for EAP Chaining sees posture status equal to unknown when a user logs in it immediately fires up IE and tries to do a web based ISE posture check.  But if you wait a little bit, Anyconnect runs and does an ISE posture check itself and completes.  And then of course a CoA happens and the status goes to compliant/permit access.  But that IE window for ISE posture is still sitting there.

Its driving my mock production group crazy.  Its like the web redirect doesn't know that Anyconnect is already on the box.

I spoke to TAC and they suggested this is a problem with IE and there is no ISE config to correct this problem.  Does anyone know the reg key to disable this behavior?

Also, my concern is that once this behavior is disabled in Windows 7 and Windows 8.1, those users then when connecting to guest networks managed by ISE will not see a web auth redirect.  However my Windows 10 users don't ever see the ISE posture web auth redirect, but they do see... as expected... a guest network web auth redirect.

Outside of here its been suggested that the windows 7/8.1 "HotspotAuthentication" reg key is the problem.  Setting this to zero does not resolve the issue.  Software\Policies\Microsoft\Windows\HotspotAuthentication Enabled=0

confusing.

Any help is greatly appreciated.
-e

As a side note I would love to be able to image all the files to the machine and not have to use client provisioning to fire off ISE posture, feature request.