As some may be familiar, MFA and Conditional Access causes issues with the PRT token authentication and results in Enterprise downgrading to Pro. The problem is, this breaks Direct Access as well for our remote users. We were assured that as long as machines were on a current feature update version (everything we have is now either 2004, 20H2, or 21H1) that when this happens we can just go into Shared Experience Settings, hit 'Fix Now' and then the user will get an MFA prompt. Usually after that it takes one restart to get back to Enterprise and a couple more for DA to return. It seems to be happening more and more frequently which is already enough of an issue, but now we're seeing instances where the fix now button isn't there and the only solution is to disconnect the user's account, reset the machine in AD, and do a remote domain join (a long and annoying process). 

Has anyone figured out a better workaround or solution yet? The other thing I was planning on trying next was modifying our conditional access to just specific cloud apps instead of all of them. Does anyone know which cloud app relates to how Enterprise/PRT authenticates?