Solution 1:

Normally what we tell users is to put the device in "flight" or "airplane" mode, cutting off network access when they are ready to change password, once they change the password on Desktop/Laptop, then they can enter the new password in device and connect back to network.

Of course we also send the expiry notification so that they are well prepared for the password expiry.

Solution 2:

TMG SP2 has now the Account Lockout Feature to prevent this issue. See: Here, here and here.

Solution 3:

I've been challenged by this question as well. As a serious option I'm considering certificate based ActiveSync authentication. Together with the EAS policy to demand a password code for unlocking the mobile device this should count as two-factor authentication (something you have: certificate on your mobile device, something you know: password code for your mobile device). This way there is no issue when the password expires. Hope this helps. http://blogs.technet.com/b/exchange/archive/2012/11/28/configure-certificate-based-authentication-for-exchange-activesync.aspx