Microsoft
Microsoft
I tested the scenario you described and it worked for me. I am guessing though that there may be multiple environmental constraints that could cause this scenario to fail. The first thing to check IMO is this: please make sure that the "normal user" you are testing the scenario with is granted the "Impersonate a client after authentication" security privilege. By default, this privilege is granted to members of the local Administrators group (which is how it is working in my testing). This privilege is required when using -DecryptionCredential because under the covers, the Get-LapsADPassword cmdlet has to impersonate the token produced by logging on the -DecryptionCredential credentials.
If that does not explain it, next step will be some deeper debugging - feel free to open a support case with Microsoft support for that, or PM me directly and I'll keep helping you.
thx,
Jay