Hi,
For the GPO part:
Based on my understanding , it is a user configuration , the GPO should be linked to the OU containing users.
The GPO has "Authenticated Users" with ""read" and "apply policy " permission.
If with only the read permission , the GPO would not apply to the users.
If you want to connect to VPN before login , you need to Windows 10 Always On VPN device tunnel correctly. For more details about the network part, i would recommend you create a new case with a tag :windows-10-network.
Best Regards,