Has anyone updated to windows 1709 with MFA running? If an admin tries to do a local task the admin account wants MFA even if it is not configured to do so. We are using the same configuration on a 1607 machine and it does not prompt for MFA to run elevated tasks. RDP to another machine with out MFA running also does not work and we have not tried the registry edit for that yet.
You have to exempt your RDP applications, such as ""C:\Windows\System32\mstsc.exe" and "C:\Windows\System32\CredentialUIBroker.exe"
from the new Windows requirement that wants the Passcode. You can do this in the registry with a REG_SZ value named "RDCFileName" under \Local Authentication Settings, or GPO with 7.3.3 agent, under 'Enable Support for Multiple Remote Desktop Applications, for Remote Desktop Connections
Also have a look at RDP prompting for RSA passcode to get an idea about this.
We can bypass the RDP with the registry edit it is the interaction on the local machine that has changed. You can not longer user a admin account on a machine that has mfa on it unless that admin account is using mfa. This changed between update 1607 to 1709 which we can repeat on machines running two different feature releases from Microsoft.
To further clarify what is happening. The 1607 machine when you say run add remove programs it brings up the UAC asking for admin rights to access that function. The support person puts their admin credentials in and move on no MFA needed for the admin. You repeat the same process on the 1709 machine the admin is locked out of the machine unless you enable MFA on the admin account. The 1709 machine requires MFA for all users even if they are not required to use MFA on that device. We have our policy set to only users in an AD group are required to have MFA. Which all works flawlessly on 1607.
This ended up being an issue with the GPO to set the required group. The AD administrator forgot to include the domain name\ group name when creating the gpo.
You have to exempt your RDP applications, such as ""C:\Windows\System32\mstsc.exe" and "C:\Windows\System32\CredentialUIBroker.exe"
from the new Windows requirement that wants the Passcode. You can do this in the registry with a REG_SZ value named "RDCFileName" under \Local Authentication Settings, or GPO with 7.3.3 agent, under 'Enable Support for Multiple Remote Desktop Applications, for Remote Desktop Connections
Also have a look at RDP prompting for RSA passcode to get an idea about this.