We currently have remote users on Windows 10 Enterprise connecting to our corporate network using DirectAccess. This currently works extremely well.
I've read that MS is discontinuing development of DirectAccess and recommends now everyone use Always-On VPN. This sounded great to me at first since it didn't require we obtain a Win 10 Enterprise license for our remote users.
But, it appears that Always-On VPN only connects after the user logs on to the machine using cached credentials and then connects the VPN using a user certificate. This doesn't, in my mind, meet to definition of Always-On.
I further read that you can create a device connection that will connect pre-logon. BUT this type of VPN using the native Windows client still requires an Enterprise license.
We configure PCs on site and domain-join them. Then ship them to remote users to logon with their new credentials (which of course are not cached because the user has never logged on to that machine). This of course works fine with DirectAccess since it connects when the machine boots up and has an active connection to on-premise AD before the user logs on.
So, unless I am missing something, Always-On VPN can't be a replacement for our Windows 10 Pro remote PCs if we send them to users before the user logs on while on the corp network.
Please let me know if I am missing something. If not, we will just stick with DirectAccess until support for it is completely removed.