Our organization is trying out the passwordless capability as part of the Authentication Policy CSP, but we are struggling with the some of the functionality as currently designed and documented: https://learn.microsoft.com/en-us/windows/security/identity-protection/passwordless-experience/#in-session-authentication-experiences To keep this short: What is the reasoning behind forcing in-session authentication to the built-in local Administrator account and not allowing the opportunity to provide another account with local administrator access to authenticate? LAPS is great and it works but is hard to track down to who actually performed that action, aka retrieved the LAPS password from Entra, and EPM requires additional configuration, doesn't currently check all of the boxes, and most importantly, comes at an additional cost.