The thought behind NLA (Network level authentication) is don’t let users that are not authenticated to the logon screen. Those unauthenticated users could conduct a DOS attack just by consuming resources this way. When you check the box “User must change password at next logon” you are basically saying that the users have to change their password before they can login, you already know that upon doing so locally a dialog pops up prompting you to change your password and you cannot login until you do so. Because NLA Requires you to be completely authenticated before even attempting to actually open remote desktop, this would have to be where the problem is. That is the reason it is not allowing user’s that has to change the password while first login or the users having password expired to get even login screen.
However, there is something for password expired users, who can change it through RD webaccess console, but unfortunately nothing for Users with change password at first login.
Solution for users that has password expired through RD web access: