In advance of a future transition to Microsoft Intune we're refreshing our devices from Windows 7 x86 to Windows 10 x64 using an SCCM task sequence and usually we would do this on the LAN or by standalone media. We're currently running SCCM 1802 and Windows 10 1803. We have no plans to upgrade SCCM given the impending move to Intune and therefore (due to compatibility) will not be upgrading Windows 10 to a later release on this platform (we plan to push the latest version of Windows 10 from Intune).
A large proportion of our devices are now remotely connecting to our LAN over VPN (zScaler). Although I can push the refresh task sequence from SCCM I'm wondering how I could still establish a VPN connection during the build so the machine will join the Domain, setup BitLocker encryption and install the remainder of applications from SCCM.
I want to avoid sending an engineer to every site. Any suggestions please?