Defender Desktop Login is not enumerating the user's Active Directory groups correctly.
When using Desktop Login, it is behaving as if it cannot reach Active Directory; for example defaulting to 'Windows Authentication' unexpectedly if the option "Require Specified Users to Log On using Defender"
If the AD user does not have the permission "SELF | Read" then this may occur.
Ensure that the permission "SELF | Read" is enabled.
If "SELF | Read" is not sufficient, also test "Authenticated Users | Read"