When devices are removed from domain, the device is also synced with the PAm appliance, thus removing the device and the password history of the local account. When a device needs to be restored the password that was rotated by PAM is not retrievable anymore. If PAM had a retention policy for all the passwords it manages, also if the device or object was removed. This would be great