![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 94%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
Active Directory
A set of directory-based technologies included in Windows Server.
5,150 questions
Only the first logon requires a line of sight with a domain controller.
So if the user already used the password or the PIN to signin on that very same machine, this should work when the user is disconnected from the network. This is made possible because of a feature of the operating system called Cached Credentials. However, if one disables this feature, you will experience the behavior you are describing.
Can you check this registry path on one of these machines, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount is that 0 or a very low value (<2)?
More information is available here: https://learn.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/cached-domain-logon-information.