If it is forced, that means the user can only access VPN from a domain-joined computer and cannot connect to VPN from another PC for the pupose of connecting to remote desktop or non-public OWA webmail etc..
That will not be acceptable. Is there a way to make Start Before Logon and option so users don't have to use it, but is available as an option when needed? Some users only need this in case their domain account password expires or is reset wheile they are on the road and would not want to use this method every day or else need to use a personal computer not joined to the domain to access VPN.
I know this is an old threat but just in case. You can have vpn gina module (SBL) installed and not use it. The only option that will force you to connect and you cannot control is Always-On. But SBL is optional.