Azure Active Directory Domain Service GPO an Windows 10 VM on Premise

Claudio Cannatella 1 Reputation point
2023-01-01T15:11:55.007+00:00

Hi.

I have a question for understanding.

I have a special constellation. We do not have an on premise server. Our users have a Microsoft 365 account and therefore in Azure Active Directory. My idea is to ban the users from some features in Windows 10 using GPO. I have installed Azure Active Directory Domain Service. To do this, I configured a Server 2019 in Azure and installed Group Policy Management Tools.

In the AADDS I see the users from Azure Active Directory. Now I have customized the existing AADDS User GPO. Unfortunately the policies are not transferred to the user.

Do the GPO only work with Windows 10 VM created in Azure?

Thx for Help
Claudio

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,561 questions
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. George Bungarzescu 6 Reputation points
    2023-02-04T12:37:42.73+00:00

    Your question was: "Do the GPO only work with Windows 10 VM created in Azure?"

    Short answer: No.
    Long Answer: In order to user the Az AD DS GPO, you need to enroll any vm or bare metal device ( over vpn ) in the coresponding AzADDS domain. However, using AzADDS is not always the best solution.

    https://learn.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm

    1 person found this answer helpful.
  2. Jordan Millama 1,296 Reputation points
    2023-01-01T16:49:52.633+00:00

    You can utilize Intune (Endpoint Manager), here's a starting point for you intune-administrative-template. You can also create custom ones or even just deploy PowerShell scripts.

    ----------

    Please accept as an answer if this was helpful.

  3. Pavel yannara Mirochnitchenko 11,716 Reputation points MVP
    2023-01-01T21:17:28.89+00:00

    GPOs work only for AD DS joined computers.

    For managing workstations with policies, you really don't have to install on-prem Active Directory and use GPO. You can do everything in Intune.

  4. Limitless Technology 43,951 Reputation points
    2023-01-03T07:43:16.96+00:00

    Hello there,

    Azure AD DS includes built-in GPOs for the AADDC Users and AADDC Computers containers. You can customize these built-in GPOs to configure Group Policy as needed for your environment.

    More information here https://learn.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy

    Azure VM that is domain joined to an On-Prem Active Directory domain would be able to pull GPOs from the On-Prem Active Directory Domain Controllers. Group Policies would get applied on this just like a normal server in the On-Prem AD Domain.

    We need to make sure that the Azure VM should be able to speak to a DC without any network issues and that would get the Group Policy objects flowing from the DC to the Azure VM.

    ---------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments
  5. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more