Local administrator tagged "must change password" when domain user joins azureAD using OOBE

Hi all thanks in advance and sorry if my question is not properly structured, first time I ask instead of just lurk:

• I have a hybrid on-prem/azureAd environment using dirsync
• Laptops are imaged with a local administrator account with psswd set to "never expire"
• Users go through OOBE and join azureAD

After this, the "Administrator" account is disabled - Default windows10 behaviour, OK.

THIS IS MY ISSUE - The extra local administrator gets the flag to "user must change password on next logon" set to true.

If you log in using audit mode before OOBE or finish OOBE with a local "offline" account, this does NOT happen.

I can't for the life of me find where in the domain policy this is getting pushed.

I see nothing useful doing an Rsop / GpResult...

This is default and expected behavior. You should avoid having the local admins burnt into image or provisioned with permanent static password.

Since you are in Hybrid mode, and according to best practices, please consider implementing LAPS (https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-guide-how-to-configure-microsoft-local/ba-p/2806185) on your on-prem Windows Server Active Directory, that can regularly update and maintain local admin passwords to your on-prem Windows Server Active Directory.