This is someone trying to spin a CVE out of the way Windows has handled password caching for literal decades. If it can’t reach the IDP, it allows you to log in using the last confirmed valid password.

Of course CA won’t work if you can’t reach Entra to pull them. Of course the machine can’t require you to use the newest password if it can’t reach AD to check against it instead of the cached one. This is basic fucking functionality that any serious Windows admin should already be familiar with.

It’s definitely an interesting edge case where you can’t reach Entra or AD but the device can still be reached by RDP, but this “security hole” is literally what the caching is meant for. Maintaining the ability to access the machine if the IDP isn’t reachable.

It’s how almost any org using AD as their IDP allows users to log in from home before they are connected to VPN. Microsoft isn’t going to break that functionality.

In an ideal world, there would be separate password caching controls for every combo of AD/Entra/Other IDP and local/remote, but here in the real world this functionality can be controlled by the same controls for it that have been around for literal decades. In an ideal world, there’d also be ways for CA policies to be cached and enforced locally if Entra isn’t reachable, but here we are.

Also, shame on Ars Technica for not linking the actual research, and for being as vague as fucking possible about the details in service of making this clickbait.