@theodorbrander , From your description, I know we want to deploy Windows Autopilot user-driven Hybrid Azure AD Join using a Always-ON VPN. For the VPN profile, it is a per user setting which will not deployed. Then we consider Device Tunnel'-VPN Profile for Always On VPN but it is not working. If there's any misunderstanding, please let us know.
Based as I know, Device tunnel can only be configured on domain-joined devices running Windows 10 Enterprise or Education version 1709 or later. There is no support for third-party control of the device tunnel. Device tunnel does not support using the Name Resolution Policy table (NRPT) or Force tunnel. Also, device tunnel supports IKEv2 only with no support for SSTP fallback. Please make sure Device Tunnel reuirements and fetaures are all met in the following link:
https://learn.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config
I notice, the VPN profile is authenticated with certificate, please enable machine certificate authentication for VPN connections and define a root certification authority for authenticating incoming VPN connections. Also deploy the machine certificate to the device as well.
In addition, as a test, to confirm the VPN profile is working well. we can deploy it to a device like Azure AD joined device to see if it is working to clarify our issue.
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.