You only need LOS for the initial user login. You can HAADJ without Los - it handles it via an ODJ blob that flows through your AD Connect server.
It’s flaky though and you still need to sort Los if you want to drop ship from a reseller directly. FortiClient can handle integrated login with Sslvpn before login as well
everytime a company chooses haadj over aadj, an angel loses its wings
What do you mean “offline domain join”? How?
Could you share your example script you used I have heard other used this method
Yeah, it sucks, cuz I was dumb and thought that Kerberos Cloud Trust would fill in that Hybrid Join gap and allow users to sign into a new computer while not on the VPN and have it basically function like full blown Azure AD joined.
u/roygould How were you able to get the management tunnel to start before login without connecting to a user vpn session to pick up that there was a management configuration?
We’ve got the Intune app deploying the SecureClient with VpnMgmtTunProfile.xml in the correct folder under profiles/MgmtTun, but if we login we see that the management tunnel is “disabled” until we make a successful user tunnel, then the mgmt tunnel works going forward.
Yes. There are some things you need to be aware of but the following two links cover the fundamentals.
https://learn.microsoft.com/en-gb/azure/active-directory/devices/azuread-join-sso
https://www.youtube.com/watch?v=4Ip3h4kJxmw
You can AAD join and VPN to on-prem resources. That’s how we have it set up, even though the “on-prem” domain is now in Azure VMs too lol
Best way is to test it and find out.
If they are popular they better do 
Have look at Autopilot process here on what MS is saying about HAADJ (part of the flow with User-driven Active Directory Domain Services(AD DS)).
One of the steps is AD DS sign-in and without actual connection to the Domain Controller you won’t be able to authenticate.
So, unless you are on your company premises, VPN with ability of Windows pre-logon authentication is a must.
You actually need LOS to complete the HAADJ job, during the process the client machine has to update the on premise AD computer account with the “Client Device Certificate” before it gets sync’d to Azure AD, and this is pre user logon to the device.
Intune Active Directory connector uses offline domain join mechanism (using blobs) to join workstations to the domain, that’s the default behaviour for HAADJ provisioning.
Perhaps not what you’re 100% looking for, but this is what “offline domain join” does.
It pre-allocated an AD computer account, then using a file, the computer can get the information (stored in a file) needed to join an AD (without the need of line-of-sight to an AD domain controller
https://petri.com/offline-domain-join-active-directory/
https://nathanblasac.com/setup-the-intune-connector-for-active-directory-39acd2432086
No script. Each MSI is separate Win32 app and use dependencies to install in order needed.
Custom MSI that copied the anyconnect.xml config to profile location for client.
Yea I get it. Like I said though if your users need on-prem solution HAADJ seems to work without any issue for us. We are using PaloAlto for VPN. We setup the device based connection pretty easily. We also created a device cert and a PowerShell script to deploy it. Then packaged it up with the InTune W32 app conversion tool to deploy it with the PowerShell.exe -ex bypass -File .\file name.ps1 on the command line once uploaded to InTune. We then set the ESP profile to not continue until the VPN app and the certificate was installed. From there the domain join worked without any issues.
Cool. So AAD authentication for Autopilot users, then VPN back in for on-prem access to stuff?
do you have an on prem print server that users map to? How would you handle that besides scripting it out?
It ain’t broke until I’ve tested it 
You make custom msis for file drops? What led you to that as the solution? I just use win32 Intune app packages that are just bat files. I suppose msi would provide much better detection though…