We have begun to roll out Workstation MFA on user system, enforcing a failure if the network (or any network) is not available, so we don't allow user to bypass the MFA requirement.
That said, our environment, along with others like our customers we service, have NPS/NAC products that not only introduce delays as policy is applied (who on what system? is this permitted?) and is a cause of a lot of headaches as our users have to attempt the Workstation MFA login challenge 3-5 times, most of those failing for "no network connection" despite the system HAS a network connection.
I'd love to report that this is fixable, but right now, it looks like the Workstation MFA app has been programmed to only attempt a single PING (ICMP) attempt to a programmed FQDN and if that ping fails, that's the end of that, it doesn't attempt to retry it again and just dies back to the user. If you doubt this, give your FW team a chance to pcap or on your system a Wireshark running and you will be able to easily see the same behavior on your own.
So a successful Workstation MFA attempt will be the following all having to occur successfully in a timely manner: PING, followed by TCP/TLS handshake to that resolved IP address by PING, and then you will get the pop up for responding to a PUSH or inputting your current MFA 6 digit code. That PING is a one time, it will never automatically retry, it's a one time, one PING attempt per each login attempt.... which is in my opinion a short sighted design for a network that may have delays that a 2nd or 3rd attempt would help resolve the current failure behavior.
Looking to see if anyone else has encountered this, or a tolerable workaround.