Do I need to run separate commands to run each msi application?

Yes, example:-

msiexec /package anyconnect-win-4.8.01090-core-vpn-predeploy-k9.msi /norestart /passive /lvx* vpninstall.log
msiexec /package anyconnect-win-4.8.01090-dart-predeploy-k9.msi /norestart /passive /lvx* dartinstall.log
msiexec /package anyconnect-win-4.8.01090-gina-predeploy-k9.msi /norestart /passive /lvx* sblinstall.log

Hi @Rob Ingram 

When performing fresh installation of both (1-core vpn and 2-sbl gina) is it possible to specify the default hostname to which client should connect after installation? If yes then can you please share how this can be achieved? 

Thank you,
Michal 

This can't be done as part of the msi install.

However if you are deploying using SCCM or some other centralized deployment tool you can copy an AnyConnect VPN profile (xml file created with the stand alone VPN profile editor or from ASDM) to the hidden (by default in Windows) profiles folder (i.e., C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile).

Here's a basic one that you can customize for use (modify the elements I highlighted in red):

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
	<ClientInitialization>
		<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
		<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
		<ShowPreConnectMessage>false</ShowPreConnectMessage>
		<CertificateStore>All</CertificateStore>
		<CertificateStoreMac>All</CertificateStoreMac>
		<CertificateStoreLinux>All</CertificateStoreLinux>
		<CertificateStoreOverride>false</CertificateStoreOverride>
		<ProxySettings>Native</ProxySettings>
		<AllowLocalProxyConnections>false</AllowLocalProxyConnections>
		<AuthenticationTimeout>30</AuthenticationTimeout>
		<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
		<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
		<LocalLanAccess UserControllable="true">false</LocalLanAccess>
		<DisableCaptivePortalDetection UserControllable="false">false</DisableCaptivePortalDetection>
		<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
		<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
		<AutoReconnect UserControllable="false">true
			<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
		</AutoReconnect>
		<SuspendOnConnectedStandby>false</SuspendOnConnectedStandby>
		<AutoUpdate UserControllable="false">true</AutoUpdate>
		<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
		<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
		<LinuxLogonEnforcement>SingleLocalLogon</LinuxLogonEnforcement>
		<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
		<LinuxVPNEstablishment>LocalUsersOnly</LinuxVPNEstablishment>
		<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
		<PPPExclusion UserControllable="false">Automatic
			<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
		</PPPExclusion>
		<EnableScripting UserControllable="false">false</EnableScripting>
		<EnableAutomaticServerSelection UserControllable="true">false
			<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
			<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
		</EnableAutomaticServerSelection>
		<RetainVpnOnLogoff>false
		</RetainVpnOnLogoff>
		<CaptivePortalRemediationBrowserFailover>false</CaptivePortalRemediationBrowserFailover>
		<AllowManualHostInput>true</AllowManualHostInput>
	</ClientInitialization>
	<ServerList>
		<HostEntry>
			<HostName>User-friendly name here</HostName>
			<HostAddress>FQDN of VPN headend</HostAddress>
		</HostEntry>
	</ServerList>
</AnyConnectProfile>

Hello @Marvin Rhoads 

Many thanks for the reply! I am glad that you explained that this is not doable from command line but there is a workaround. We use SCCM to deploy both Secure Mobility Client and Start Before Login Module. When I applied your suggestion it did not help. When new user logs into Windows and runs the Secure Mobility Client the host name is still empty there. What I have done is that I have copied the preferences.xml file to hidden folder on path C:\Users\Default\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client\preferences.xml and this way when new user logs into Windows it gets settings copied to user profile from the default one and now when user opens Secure Mobility Client the host name is filled out. Maybe this can be useful for you. 

And also may I please ask you to comment if our preferences.xml is ok?

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser>user.name</DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint>OUR_THUMBPRINT</ClientCertificateThumbprint>
<MultipleClientCertificateThumbprints></MultipleClientCertificateThumbprints>
<ServerCertificateThumbprint></ServerCertificateThumbprint>
<DefaultHostName>our.hostname.com</DefaultHostName>
<DefaultHostAddress></DefaultHostAddress>
<DefaultGroup>OUR_GROUP</DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<SDITokenType>none</SDITokenType>
<ControllablePreferences></ControllablePreferences>
</AnyConnectPreferences>

Sorry - you are correct. I should have mentioned preferences.xml as well. On my installation it's preferences_global.xml. The client certificate thumbprint isn't commonly used but it may be in your environment. Otherwise the file looks fine.

The file I mentioned won't populate the dropdown list by itself.

Hi @Marvin Rhoads 
Thank you for your reply, all your knowledge is golden to me! So these are my results:
-when I have copied the file to your suggested to folder C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile NOTHING CHANGES FOR US
-when I have copied the file to folder suggested by me C:\Users\Default\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client\preferences.xml and I log in as new user and I open the Client the hostname is filled out and this is OK FOR US
-when we install the whole PC from SCCM and installation finishes and there is log in screen to windows and I click on Start Before Login icon the hostname is NOT filled out and this is most crucial for us to GET THIS WORKING 
-when I log into same Windows (as described above) and I run the Client (with hostname already filled but shown only after login to Windows) and I connect to VPN, all working fine, disconnect VPN, then I restart the PC and click on SBL module again now the hostname is filled out...

And this gets me thinking that this VALUE has to be stored somewhere on Windows 10. Maybe it is a file in hidden folder, registry key, maybe in some temp folder, I really do not know. What I am asking is that do you know any METHOD for the SBL to be filled out with hostname value after fresh installation of Windows? Please let us know, thank you and Merry Christmas!  

ok all worked fine, thank you!

Great - please mark my reply as having solved your problem in that case.