I use the command
pwpolicy -u "$LOGGEDINUSER" -setpolicy "newPasswordRequired=1"
to for the user to pick a new password when they log into a new device for the first time. We also use this if we change the password policy and need the user to pick a new password at next login. So this works great until we turn on filevault. Once we have that on the results are incosistant. We keep having computer reboot, the user enters their current username/pw, and then gets prompted to change the password. This will always work, but sometimes the username/pw the user entered disapears while the password change box is still up. The use has to re-enter their username/pw again and then change the password. Also when this happens it will not give the helper GUI that show what the policy is and helps show if they meet the requirements. If I turn off filevault I never see this. Also it's not consistant. Sometimes it does work normal, but I can't figure out why.