AnyConnect (Secure Client) Windows 10/11 Pop-ups

Solved
janic
Here to help

AnyConnect (Secure Client) Windows 10/11 Pop-ups

Hi,

 

thought I'd try my luck on here, since Meraki Support rejected my case because they don't provide extended support for the AnyConnect client and VPN profiles. We've got multiple customers using the AnyConnect client on Windows and with default settings the client shows up each time a network change is detected, which is just infuriating. Upon searching the web I've found multiple settings which helped in some cases but not all. 

 

 

  • Disable Windows Notifications for "Cisco Secure Client"
    janic_0-1707215485634.png
  • Setting the AutomaticVPNPolicy behaviour in the VPN Profile XML:

 

		<AutomaticVPNPolicy>true
			<TrustedDNSDomains>corp.customer.com</TrustedDNSDomains>
			<TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>
			<UntrustedNetworkPolicy>DoNothing</UntrustedNetworkPolicy>
			<BypassConnectUponSessionTimeout>false</BypassConnectUponSessionTimeout>
			<AlwaysOn>false
			</AlwaysOn>
		</AutomaticVPNPolicy>​

 

  • Changing the DWORD value to disable "StatusPopups", can also be achieved with right-click on the client in the system tray -> "Show Notifications".

 

# Define the path and property
$registryPath = "HKCU:\Software\Cisco\Cisco Secure Client"
$propertyName = "EnableStatusPopups"
$propertyValue = 0
$propertyType = "DWORD"

# Check if the path exists
if (-not (Test-Path $registryPath)) {
    # Create the path
    New-Item -Path $registryPath -Force
}
# Create or update the property
New-ItemProperty -Path $registryPath -Name $propertyName -Value $propertyValue -PropertyType $propertyType -Force​

 

 

Does anyone have any idea why the client still shows up out of nowhere? It just pops up on the main screen even though "Show Notifications" is disabled. 

janic_1-1707215791722.png

1 Accepted Solution
janic
Here to help

I've found a solution, I guess writing everything down helped to point me in the right direction. If anyone ever has the same problem, here's what I had to adjust.

 

  • Disable the captive portal detection in your VPN profile XML if you don't need it (Preferences Part 1 in the Profile Editor):
<DisableCaptivePortalDetection UserControllable="true">true</DisableCaptivePortalDetection>
  •  The AutomaticVPNPolicy in the XML shouldn't prompt the user at any point (Preferences Part 2 in the Profile Editor):
		<AutomaticVPNPolicy>true
			<TrustedDNSDomains>corp.customer.com</TrustedDNSDomains>
			<TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>
			<UntrustedNetworkPolicy>DoNothing</UntrustedNetworkPolicy>
			<AlwaysOn>false
			</AlwaysOn>
		</AutomaticVPNPolicy>
  • Be sure to disable all AnyConnect notifications on Windows and in the AnyConnect Client itself, we deploy a .ps1 script to change the settings.
# Define the path and property
$registryPath = "HKCU:\Software\Cisco\Cisco Secure Client"
$propertyName = "EnableStatusPopups"
$propertyValue = 0
$propertyType = "DWORD"

# Check if the path exists
if (-not (Test-Path $registryPath)) {
    # Create the path
    New-Item -Path $registryPath -Force
}
# Create or update the property
New-ItemProperty -Path $registryPath -Name $propertyName -Value $propertyValue -PropertyType $propertyType -Force

# Define the path and property
$registryPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Cisco.SecureClient"
$propertyName = "Enabled"
$propertyValue = 0
$propertyType = "DWORD"

# Check if the path exists
if (-not (Test-Path $registryPath)) {
    # Create the path
    New-Item -Path $registryPath -Force
}
# Create or update the property
New-ItemProperty -Path $registryPath -Name $propertyName -Value $propertyValue -PropertyType $propertyType -Force

 

Frustrating to deal with this for a paid enterprise software, but I guess we all have to. I couldn't find a solution in any forum, hopefully this will help someone else.

View solution in original post

4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal

Have you tried disabling its startup in Anyconnect in the task manager?
 
Support is correct in their approach, this is not a Meraki related issue.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
janic
Here to help

That's not really a solution, once you start it, it will pop up even if you're connected. And in what world would a customer accept this 😅? I've posted my findings below, still can't wrap my head around the fact the pop-up is a default behaviour and has to be disabled through so many settings. I guess they all work on MacBooks.

janic
Here to help

I've found a solution, I guess writing everything down helped to point me in the right direction. If anyone ever has the same problem, here's what I had to adjust.

 

  • Disable the captive portal detection in your VPN profile XML if you don't need it (Preferences Part 1 in the Profile Editor):
<DisableCaptivePortalDetection UserControllable="true">true</DisableCaptivePortalDetection>
  •  The AutomaticVPNPolicy in the XML shouldn't prompt the user at any point (Preferences Part 2 in the Profile Editor):
		<AutomaticVPNPolicy>true
			<TrustedDNSDomains>corp.customer.com</TrustedDNSDomains>
			<TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>
			<UntrustedNetworkPolicy>DoNothing</UntrustedNetworkPolicy>
			<AlwaysOn>false
			</AlwaysOn>
		</AutomaticVPNPolicy>
  • Be sure to disable all AnyConnect notifications on Windows and in the AnyConnect Client itself, we deploy a .ps1 script to change the settings.
# Define the path and property
$registryPath = "HKCU:\Software\Cisco\Cisco Secure Client"
$propertyName = "EnableStatusPopups"
$propertyValue = 0
$propertyType = "DWORD"

# Check if the path exists
if (-not (Test-Path $registryPath)) {
    # Create the path
    New-Item -Path $registryPath -Force
}
# Create or update the property
New-ItemProperty -Path $registryPath -Name $propertyName -Value $propertyValue -PropertyType $propertyType -Force

# Define the path and property
$registryPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Cisco.SecureClient"
$propertyName = "Enabled"
$propertyValue = 0
$propertyType = "DWORD"

# Check if the path exists
if (-not (Test-Path $registryPath)) {
    # Create the path
    New-Item -Path $registryPath -Force
}
# Create or update the property
New-ItemProperty -Path $registryPath -Name $propertyName -Value $propertyValue -PropertyType $propertyType -Force

 

Frustrating to deal with this for a paid enterprise software, but I guess we all have to. I couldn't find a solution in any forum, hopefully this will help someone else.

jmacres
New here

I agree, on 4.10XXXX  Just disable notifications.

 

jmacres_0-1713828836514.png

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels