Only let in 2-factor users, block all others
If you want to allow ONLY 2-factor users on a particular machine, just break the problem into two parts:
- Use group policy to constrain the set of users who are allowed to log on, to only "AuthLite Users". Do this using the Computer policy's "User Rights Assignment" sections highlighted in Green. Anyone not represented in these settings will not be allowed.
- Now, add "AuthLite 1F Tag" to the sections highlighted in Red. This adds the additional constraint that even if you would otherwise be allowed to log on, 1-factor AuthLite users are blocked.
As a quick example, if you set the "Allows" to "AuthLite Users" (or you could choose "AuthLite 2F Tag" here), and then set the "Denies" to "AuthLite 1F Tag", then you have successfully blocked everyone but 2-factor AuthLite users. This may not be what you truly want; consider that you should still allow "Administrators" to log on too. (That will cover local admins as well as all domain admins).
Note: Always test that 1-factor logons and authentication of disallowed users gets blocked properly as you expect. Just because 2-factor is working does not imply it is being enforced successfully.