Why are users locked out after their passwords expire?

Do you have BitLocker enabled on those devices? I faced a similar problem where users wouldn’t be notified of password changes correctly. Sometimes, you need to reset the password in Active Directory, create a temporary profile, and rename it back after signing in with the new password. Also, be cautious—too many incorrect attempts could trigger BitLocker key requests.

Be specific about the conditions under which these failures occur. Keep in mind, if passwords are expired, that could cause VPN issues. Ensure everything needs to function smoothly before making password changes!

Have you checked if you have both 2025 and earlier domain controllers in your network setup? The mix can sometimes contribute to unexpected login behavior.

It sounds like this could be related to how your VPN client interacts with Windows logins. If the VPN connects after the user logs in, it might lead to the behavior you're describing. Users should be able to log in with cached credentials, connect to the VPN, and then use Ctrl+Alt+Del to change their password, which might help. However, if the VPN is connecting before the Windows login, and users can't change their passwords, you might be seeing routing or traffic issues due to the VPN's security settings.

From my experience with Global Protect, it tends to require an update of the local login information after a domain password change. Make sure users check the system tray for any Global Protect icon that might need attention for updates. It's essential that the client is up-to-date to avoid these password issues.