I'm not an expert in this, but I don't believe there's a native way to do Multi Factor Authentication on Active Directory (Windows Login). You'd need to look at a 3rd party solution (and there are many).

MFA for ADFS only secures login to web apps after the desktop login has been processed.

Happy for someone to correct me though!

What version of Windows do they have on their devices? If they have Windows 10 there are many new features to enhance login security for this type of scenario, (some of them depend on the capabilities of the hardware), see https://technet.microsoft.com/en-us/itpro/windows/whats-new/security

What version of Windows Server do they have? Upgrading to 2016, will provide many benefits in this area, see https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/operations/configure-ad-fs-20...

You can set up MFA  in Azure or On-premises, see https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started/.

With Azure MFA, you can use it with Conditions, i.e, the location, the device, the application can all be used to determine when the second factor is required. It should not be needed ALL of the time, see https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-azuread...

Instead of VPN, you could use Azure AD Application Proxy to provide access back into the on-premises applications, see

https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-get-star...

You can use a comprehensive VPN for Windows which provides a corporate solution as well. The most secure encryption level for secure and sensitive data transfer must be OpenVPN with AES 256-bit encryption. This is so far not broken by any security agency. For more information on this, read the Best VPN for Windows