We have a very small deployment of RSA but starting to put it on some machine and leaving it un-configured. In-configured meaning the User is not in a challenge group there are no GPO's applied for RSA only the base windows client is installed on the machine.
We have found that when the user is off the network with no domain access they are unable to log into their machine using there windows cached credentials. They will be unable to log into there machine until they connect back to the domain.
We would like to have client installed ahead of time so it can be configured when the user needs it.