I know the answer should be always MFA for everything.
But I'm having a hard time trying to figure out how to work around the side effects.
We currently are using OpenVPN installed as a service with a Cert authentication on each machine.
When a computer is on and connected to the internet they automatically connect to a Ovpn subnet, this subnet only allows authentication to AD, allows the machines access to WSUS and allows our PDQ Deploy to update their applications. No other resources are accessible from the vpn.
So what I'm getting confused with is: If we roll out MFA on the VPN, how can we reliably keep the machines up to date if the VPN doesn't connect until someone allows it using MFA? Are people using alternatives to WSUS or PDQ Deploy for patch management to not have to rely on the VPN Connection?