Hi all,

I'm hoping someone with experience around LAPS-managed local accounts and Declarative Device Management (DDM) can weigh in on this.

Scenario 1:

When applying the "Change passcode on next authentication" payload via DDM, I’ve observed that this flag applies to all local accounts on the device — including the one managed by LAPS. My question is:

If LAPS rotates the password while that account is flagged for password change on next login, what happens?
Will the password change flag be satisfied automatically by the rotation, or is there a risk of the user being prompted unexpectedly or getting locked out?

Scenario 2:

If the same DDM payload is in place, and the passcode for the affected LAPS-managed account is manually changed (e.g., by an admin or user), then when LAPS next attempts to rotate the password — it will likely operate with an outdated expectation of the current password.

Will this mismatch disrupt LAPS password cycling?
Does LAPS handle this edge case gracefully or will it fail the rotation attempt?

Appreciate any insights or real-world experiences. Thanks in advance!