Deactivated Active Directory users can log in to a computer with the agent for Windows installed without MFA (user name and password are still required). This only happens the first time the user logs in after they are deactivated. When the user tries to log in again, they receive a Windows error message.
This issue is not related to the agent for Windows and happens whether or not the agent for Windows is installed. Deactivated Active Directory users can successfully log in the first time after they are deactivated.