FortiClient Always on VPN

We currently don't force VPN and use AVD so many people don't connect to VPN very much. However, they have to connect to change their AD password and sync it with local PC. Does FortiClient offer an always on VPN where it connects at windows login with windows credentials and internal cert? We do currently use EMS for all our managed endpoints.