Hello Philip,
You can have the Windows Desktop log in to VPN/AD directly without using cached credentials first. You should see an icon at the bottom of the login screen that allows you to do that. Microsoft VPN, Sonicwall SSL are two that I know work because I have done it. In this scenario, you should get the change password prompt since VPN connects first, then ADDS.
You may want to consider implementing the new NIST guidelines for passwords which recommend not changing passwords unless the user suspects there has been a credentials breach. That might simplify things.
If you don't see the option for network sign in, check the link below:
Miguel Fra
https://www.falconitservices.com