By default, Multi-factor Authentication (MFA) is not enforced on offline logon. If MFA is not enforced then multi-factor authentication is not required at all at offline logon. If MFA is enforced, then those users who are required to log on with MFA at online logon will also be required to log on with MFA at offline logon. (those who are not required to log on with MFA at online logon will also not be required to log on with MFA at offline logon).
To enforce MFA for offline logon, edit the "Computer Logon Client" policy in the DualShield Admin Console:
Enforce multi-factor authentication on network domain logon
If this option is enabled then two-factor authentication is enforced on all domain users at offline logon.
Enforce multi-factor authentication on local computer logon
If this option is enabled then two-factor authentication is enforced on all local users at offline logon.
Download offline tokens automatically
If this option is enabled then offline tokens will be downloaded automatically to users' machines.