The Offline Token Store cache update routine occurs after successfully logging into Windows and supplying the response from the Defender token while the machine is on the domain.
How do we have systems cache the Offline Token Store if the domain is unavailable during Windows login?
The only way the offline cache will work is when the user authenticates with Defender Desktop Login. When a user connects via Desktop Login while connected to the domain the offline cache is generated (the first time) or updated (subsequently).
If the system is never connected to the domain when the user authenticates via Desktop Login, neither event will occur.