If a workstation or server is locked, you can choose whether to protect the unlocking of a workstation or server by choosing one of four methods
- AD Password Authenitcation Only
- Multi-Factor Authentication
- 2nd Factor only (AD Pasword is cached)
- Decided by the Logon Policy
By default the authentication method is decided by the logon policy, therefore if the logon policy dictates that MFA is required for signiong in from scratch, then MFA will also be required to unlock the screen. However not everybody likes to have to continually authenticate with a second factor, partucalrly if the end user has just stepped away from thier PC for two minutes, so this extra policy gives the flexibility.
To modify how you wish screen unlock authentication to behave, log into the Administration Console and go to Administratin>Policies