We are testing the Windows MFA Agent (2.1.1.) in our desktop environment, but after installing and configuring the GPO templates on the domain controller, computers placed into the linked OU are not getting an RSA authentication prompt. In fact, occasionally it is signing the user directly into Windows without even a logon prompt at all.
This feels like a misconfigured GPO settings. What particular settings could trigger something like this to happen? I will be glad to share our configuration choices if necessary.
Or if the GPO settings are good, what else could be causing the RSA prompt to not appear?