I am trying to configure MFA for active directory domain accounts using the Authentication Agent. I have it working, except for a weird loophole regarding the Windows 7 logon screen. I am able to completely bypass the RSA authentication screen by clocking the "other user" option and logging on normally. RSA support has told me that I have to work around this issue using group policy. But I cannot seem to get around this problem. I have tried to configure the policy to hide entry points for fast user switching. This gets rid of the switch user option while logged into windows. But if I restart and get to the main logon screen, the switch user button is still there and I am able to logon as another user. I have also tried enabling the policy to not show the last logged on user. But that does not help either. There must be a way around this, because it is just too glaring of a hole. Can anyone tell me how to accomplish this? The goal is to get it so that the RSA authentication is the only thing that shows when Windows boots up, and users do not have an option to log on as another user.