Only the first logon requires a line of sight with a domain controller.
So if the user already used the password or the PIN to signin on that very same machine, this should work when the user is disconnected from the network. This is made possible because of a feature of the operating system called Cached Credentials. However, if one disables this feature, you will experience the behavior you are describing.
Can you check this registry path on one of these machines,
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount is that 0 or a very low value (<2)?
More information is available here: https://learn.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/cached-domain-logon-information.