After upgrading the MFA agent, the windows console authentication fails with the error "cannot authenticate. Contact your administrator" as shown in the below screenshot. However, the login from the Remote Desktop Protocol (RDP) is working as desired. From the RDP the user can authenticate successfully and log in to the machine.
The below is displayed in the MFA agent verbose logs
The RSA installer defers reboot decisions to the Windows Installer as 'best practice' .When that happens, Windows Installer won't prompt for a reboot, so the console continues to hold the 'old' CredProvider in Logonui.RDP works because each RDP authentication runs in a new instance of LogonUI, which correctly loads the 'new' CredProvider.
Restarting the machine will update the CredProvider in Logonui .After the restart the console authentication should work as desired
Forcing a reboot would be an over-reaction since a general installer's goal is to avoid reboots unless necessary. There are other use cases, for example, server OSes running on a physical system where a forced reboot is an overkill.
This issue can be reported in all Windows Agents that implement a CredProvider, not just the MFA agents configured to authenticate directly to CAS.