During a login attempt on a system integrated with VIP for MCP, a no2FA group member or other excluded user received a PUSH or is prompted for a VIP security code

During the login flow, The user enters an Active Directory (AD) user name and password to login page. As the first part of the two-factor authentication process, Symantec VIP sends the user name and the password to the User Store. If your User Store authenticates the user name and the password, the User Store returns the group permission details and the authentication response to Symantec VIP Credential Provider. If the user enters an invalid AD password, the password is expired, or the user account is locked, AD Authentication fails and VIP integration can't verify group membership exclusions or permissions, and the users it prompted for VIP MFA. The login fails, as expected. 

Reset the user's AD password. If the user must change their password at the next login, perform that step prior to accessing the VIP-protected server.