Solved: AnyConnect 4.10.05095 - WebView2 Breaks Azure AD Conditional Access

msaringer · ‎05-18-2022

Hello,

Since upgrading to AnyConnect 4.10.05095 we've found that our Windows clients no longer report device information as part of the SAML sign-in process which causes them to fail Conditional Access policies that require a domain-joined or InTune compliant device check. Users instead get an error that they are attempting to access a resource that requires a domain-joined device from a personal device and are unable to complete the SAML sign-in.

Looking at the Azure AD sign-in logs we can see the upgraded clients don't show the Device ID or information about the device state beyond a generic Edge User Agent. For comparison devices using previous versions of AnyConnect show the Azure AD Device ID and information about the device. This seems to be related to a setting in the implementation of the WebVew2 component as is documented here: https://github.com/MicrosoftEdge/WebView2Feedback/issues/550

For now we've reverted to using the registry key workaround documented in the AnyConnect release notes for 4.10.05095 but this is a pain to deploy and I'm not certain it will continue to operate as Microsoft phases out IE 11.

Has anyone been able to get WebView 2 working with device-based Conditional Access?

Thanks!

stsargen · ‎05-24-2022

This issue will be resolved in the next release of AnyConnect. For now the registry key must be used.

View solution in original post

stsargen · ‎05-18-2022

Please check your private messages regarding this issue.

Thanks,

Steve S.

jmlee-trevipay · ‎05-18-2022

We are having the same exact issue in our environment. Can you share the resolution for this?

stsargen · ‎05-24-2022

This issue will be resolved in the next release of AnyConnect. For now the registry key must be used.

PDubs5150 · ‎06-09-2022

Any insight on when that fixed version will be available?

Thanks,

Paul

stsargen · ‎06-09-2022

This was just posted to CCO. version 4.10.05111