SurePassID Windows Logon Manager (WLM) doesn't get presented when elevating account when Enforcement is enabled.
Setting the Only Secure Windows Login option to 0 from 1 allows our SurePassID WLM to be used for authentication with MFA for things like elevating permissions.
With the option set to 1 (on) our WLM is presented only during the Windows Logon process which is a different process from the elevation prompt.