Microsoft has confirmed that its Remote Desktop Protocol (RDP) allows users to log into Windows machines using passwords that have already been changed or revoked.
The way this is set up it also won’t get you “into” your account if Windows Hello is turned on and required, as the TPM requirement will verify the RSA type key won’t match on the backend? So you would get dumped at the login screen, allowing you to access the password reset screen, requiring you to use to password reset tool (needing the old password still) but then once reset the new password would sync with the hello pin/fingerprint/faceID as that machine is on the network, allowing the user to get back in remotely without having to physically show up at the machine. So it can save you a phone call or 2 to IT and keep a 2 factor authentication up to date remotely without locking the user out. (Not all of these authentication options are as good as others, but standardly you block the ones your company doesn’t want via group policy. )
The way this is set up it also won’t get you “into” your account if Windows Hello is turned on and required, as the TPM requirement will verify the RSA type key won’t match on the backend? So you would get dumped at the login screen, allowing you to access the password reset screen, requiring you to use to password reset tool (needing the old password still) but then once reset the new password would sync with the hello pin/fingerprint/faceID as that machine is on the network, allowing the user to get back in remotely without having to physically show up at the machine. So it can save you a phone call or 2 to IT and keep a 2 factor authentication up to date remotely without locking the user out. (Not all of these authentication options are as good as others, but standardly you block the ones your company doesn’t want via group policy. )