The likely answer to the question from Automation is::
Windows AutoPilot can help you to automate the process of joining devices to Azure Active Directory (AD) and enrolling them in Intune. It does not require your domain controller (DC) to be publicly accessible or a DC in the cloud. It's designed to simplify the setup process for new devices and does not require Direct Access or Always On VPN.
However, if you have a Hybrid Azure AD join scenario, it requires a line of sight to a domain controller, which is where VPN comes in. If the user is remote, the device will need to connect to the corporate network using VPN so that it can communicate with the domain controller to get a Kerberos ticket.
The device can get the Kerberos ticket either during the Out Of Box Experience (OOBE) phase if you're using VPN clients like Always On VPN, or after the OOBE if you're using a VPN client that requires user interaction.
Here is the official documentation on Windows Autopilot: https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot
And here is a specific guide on Hybrid Azure AD Join: https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan
For setting up VPN for Hybrid Azure AD Join, you can check this guide: https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/user-driven-hybrid