When configuring Desktop Login Exclusions so that "Users in listed groups cannot logon without Defender authentication", logons work when there is a network connection, but not when the system is disconnected, as in the case of a laptop off the VLAN.
When using Exclusions you should be aware that the group membership must be evaluated from Active Directory. If the DSS cannot be contacted, in the case of an offline login, this cannot happen. Thus it is suggested to use a local group for exclusions.
For a system that is always connected to the VLAN this is not generally an issue.