Continue with MFA Challenges after Failed Windows Authentication in Logon Screen

Configuring this policy setting allows you to continue with MFA challenges, even with a failed Windows authentication.

The following is recommended for PCI DSS or NIST 800-53 guidelines for multi-factor or multi-step authentication.

If this policy is set to Enabled, authentication on the Windows logon screen continues with MFA challenges with the wrong password or use of expired/locked out/disabled accounts.

Specify the multi-factor authentication grace period is disabled when this policy is enabled.

If this policy is set to Disabled or Not Configured, authentication on Windows logon screen fails immediately when you enter the wrong password and the MFA challenges are not triggered. To continue to the second MFA challenge when previous challenge response failed, use the policy "Continue with additional challenges after failed challenge" in the Admin Portal.