@Luca Chiavarini - Login locally /Unlock to windows machine is "Single factor" requirement. Hence once password login they would be able to access the desktop.
Also, its depends on what type of infra (hybrid or cloud only)
If it's hybrid users and you want Password + MFA when RDP to the clients. there are few other routes we can take a look if that suits your need. Like NPS extension with Azure MFA. Also, RDS infra with Azure MFA.
https://learn.microsoft.com/azure/active-directory/authentication/howto-mfa-nps-extension-rdg
https://learn.microsoft.com/azure/active-directory/authentication/howto-mfa-nps-extension
Incase, if it is cloud only setup with AADJ + Intune - Best is default WHFB login (PIN or Bio). However if you are still fond of "password" unlock. you can think of enabling "Phone sign-in". user still be able to unlock with password. But any other application access require phone sign-in from authenticator app.
Hope this helps. Please let us know if you have any more details on your infrastructure