So the crux of the issue is this: NLA does not allow users with expired passwords or whose account has been configured to require a password change on next logon to log into a Remote Desktop Server.
Requirement: Enable SSL/TLS for RDP connections to provide RDS host identity validation and use "current" encryption standards
Background: We have a fairly large number of remote users in a BYOD situation where the user does not EVER have direct access to the corporate network from a corporate device on the network. When setting up a new user we require that they change their password upon initial login. When using the RDP security layer, this is fairly straight forward as they can provide their credentials and are immediately prompted to change their password. However, if SSL/TLS or negotiate is selected, the connection fails indicating the password is expired without any prompt to change it.
Documentation on this is a bit unclear, however it all seems to indicate that this should ONLY be an issue if NLA is REQUIRED. However, in my experience NLA is used if it is supported and there is no mechanism in place for the connection to "fall back" to the RDP security layer and the connection just fails. One oddity to note is that Windows Server 2003 allows either the RDP Security layer or SSL/TLS to be used but does not support NLA. To me this would seem to indicate NLA is separate from SSL/TLS and that there should be the ability to utilize SSL/TLS WITHOUT NLA. I am aware that there are "patches" available for this issue but I am also aware that they 1) only change the error message displayed on the client side and 2) only enable the password change functionality via RDweb. We are not interested in using RDweb and are looking for a solution to the problem above.
In summary, looking for a way to enable SSL/TLS but to disable NLA. Alternatively, if there is a solution to allow the connection to fallback to the RDP Security layer if NLA fails, I would happily accept that as well. Thank you all in advance for any assistance you can provide.