Revice Password Last Set logic to check local PasswordLastSet and msLAPS-PasswordExpirationTime
This is my second reply on the issue you're seeing integrating Windows LAPS with your Citrix MCS\Provisioning solution.
Basically, I think there is definitely room for improvement here in Windows LAPS.
My first idea is that Windows LAPS needs to integrate with sysprep so we can automatically take make our local state consistent during a sysprep generalize image. Simplistically, during sysprep I would just delete all of the LAPS\State registry values. Based on my analysis so far this would not help your situation - but it would be an improvement for other customers.
Secondly, I've been pondering your PasswordLastSet-related ideas. I am still thinking through the details but I believe there is a definite place for it. No ETA or anything like that, so do please consider the short-term workaround I described in my previous reply.
Mostly for fun, here is the super precise engineering diagram I am using to think about your scenario:
Anyway, I have logged bugs on both of these ideas and will work on them. Thank you again!
Jay