Has anyone updated to windows 1709 with MFA running? If an admin tries to do a local task the admin account wants MFA even if it is not configured to do so. We are using the same configuration on a 1607 machine and it does not prompt for MFA to run elevated tasks. RDP to another machine with out MFA running also does not work and we have not tried the registry edit for that yet.
You have to exempt your RDP applications, such as ""C:\Windows\System32\mstsc.exe" and "C:\Windows\System32\CredentialUIBroker.exe"
from the new Windows requirement that wants the Passcode. You can do this in the registry with a REG_SZ value named "RDCFileName" under \Local Authentication Settings, or GPO with 7.3.3 agent, under 'Enable Support for Multiple Remote Desktop Applications, for Remote Desktop Connections
Also have a look at RDP prompting for RSA passcode to get an idea about this.