They provide reliable tools to help off-premises users access corporate networks and resources securely while working remotely or traveling. I don't think that change can be pushed out centrally. One of the more prominent names in VPN solutions for businesses is Check Point. The method I used also requires a tweak to set enable_machine_auth=false in faults (probably what you're alluding to?) on all client machines (so this needs some prior planning). I can't recall which one it was but I'll have a dig and let you know if I find it. You need the root cert from the CA installed on the firewall (similar to sk149253).
So you need a CA on your AD, and all machines must have a machine certificate from your AD CA. Machine based uses AD machine certificates. when they have a workforce that infrequently connects on the LAN. Machine based is good for people wishing to push down GPO updates etc.
You can also disable the ability for the user to disconnect, forcing them to stay on VPN permanently. This is possible and there are a few options around whether the VPN stays logged in as the machine based even after Windows login, or whether it is machine based up until the Windows login, then it drops and prompts for user login credentials. Do you mean you're trying to do a machine based VPN as the machine boots? Instead of waiting until after CTRL+ALT+DEL before establishing a user-login based VPN?