Thanks for your response.
For point 1, does GPO policy works well with VPN ? Also, is this applicable for new or existing devices and are you referring to autopilot VPN feature or normal VPN.
For point 2, as per the document share it says once devices are azure ad joined, you can't access app and resource in AD. Does that mean print and file servers won't be accessible via azure ad joined devices?
For point 3, if we don't use windows auto-pilot, what should we use for newly provisioning devices when all employees are working from home.