Okay, so we are deploying MFA to our windows server.

And I've realized a big ISSUE.. And I'm assuming it's a GPO/configuration change in the fortiauthenticator agent v3.2 (windows 2012, and running 6.21 on the fortiauthenticator.

So I hit the login screen, can do the MFA etc.. but I can also hit the back, and go to other login, and do a normal windows login without MFA.. (Which we want to require!)

Especially since some accounts are domain admins.  And I do have an account or two excluded (for backdoor entry etc..) .. But the big issue is I can get around it.