Microsoft Credential Provider (MCP) allows for a local "no2fa" group so local users can bypass VIP MFA. This setting is working fine when the computer is connected to the network.

However, when the local box is disconnected from the network (simulating a network outage) the local users are then getting prompted for VIP MFA credentials.

Microsoft Credential Provider integration on Windows machines

The 'no2fa' group is treated differently than the local registry setting for 'ChallengeLocalUsers'.

• The 'no2fa' group checks local users and if they are a part of that group, then they will never be prompted for 2FA
• The 'ChallengeLocalUsers' registry setting can be turned off (value "0"), but still requires the network connection to VIP Radius to decide if local users are challenged or not. If there is no network connection to the Radius, then MCP will challenge local users
  • Refer to this note in MCP documentation:  In the case of local users, if the Validation Server is VIP User ID mapping-enabled, the skipLocalUsersForUserStoreSearch flag in the radserver.conf file must be set to True. When this flag is set to True, the Validation Server skips the user store search for local users. 

For loss of network connectivity, ensure the local users are a member of the local Windows "no2fa" group 

Microsoft Credential Provider documentation can be found here:  https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/vip/cloud/Related-Documents.html