Microsoft
Microsoft
>> Does anybody have any ideas for how to handle this scenario? It feels like this is expected but perhaps unintended behavior.
Yes this behavior is expected. However, I will be brutally honest right here in this public forum and admit that I did not anticipate the potential impact of the Windows LAPS "legacy LAPS emulation mode" on preexisting OS deployment workflows (for example MDT workflows like you are using).
There are two ways to get past this. The preferred option would be to modify your workflow so that you initially join the machine to a clean (no linked GPOs) staging OU, and then move the machine to the final destination OU as the very last step, at which point the legacy LAPS policy (or new Windows LAPS policy) will get applied to the device and honored. If that approach is not adaptable for your current workflow, then you will want to control if\when Windows LAPS starts enforcing the legacy LAPS policy by using the registry key documented here.