Are Always On VPN services that connect VPN automatically on company managed laptops not compliant since they connect to the network automatically without a user entering their own credentials and MFA?

What about pre-login machine tunnels that authenticate via device certificates that automatically provide line of sight to domain controllers so users can sign into domain joined devices remotely from the Windows lock screen even without cached credentials?