• Users are not able to Authenticate to a website that requires FIDO2 Authentication using a Yubikey when using Edge on VDA Devices. 
• The users are constantly prompted to select a Smartcard device.
• The same users are able to Authenticate onto the same website using Chrome or Firefox inside the same VDA session. 
• Clearing Browser Cache or Use InPrivate Window does not resolve the issue.

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

The following Edge policy is causing the issue - it comes from an edge baseline policy.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ 
DynamicCodeSettings 
DWORD 1 

Configuring this to 0 resolved the issue. 

https://learn.microsoft.com/en-us/deployedge/microsoft-edge-browser-policies/dynamiccodesettings#dynamic-code-settings

---

Problem Cause

The FIDO2 redirection feature requires CtxWebAuthnHook.dll to be loaded inside the browser, but some of the Sandboxed instances of Edge with an AppContainer, were not loading CtxWebAuthnHook.dll which was preventing the WebAuth data from the client being processed by Edge.

Closing all instances of Edge and Starting Edge without sandboxing(AppContainer) using the following command allowed Edge to connect to the Citrix FIDO2 service, and users could Authenticate :

C:\>"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-sandbox