Domain Group Policy not applying to Hybrid Azure AD Joined devices.

Jabulani Motloung 191 Reputation points
2023-08-07T08:24:16.7933333+00:00

Good day,

We are enrolling our Hybrid Azure AD Joined devices to Intune. We have noticed that devices are not auto enrolling via group policy set at a domain level, however when we test and configure local group policy on a single device then it auto-enrolls into Intune.

what could be preventing domain group policy from overriding local group policy?

Advise here will be highly appreciated.

Regards

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Windows for business | Windows Client for IT Pros | User experience | Other
Microsoft Security | Intune | Other
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 44,776 Reputation points
    2023-08-08T15:26:31.7033333+00:00

    Hello there,

    If Group Policy settings are not applying to Hybrid Azure AD Joined devices in your environment, there could be several reasons for this issue. Here are some troubleshooting steps you can take to identify and resolve the problem:

    Check Azure AD Connect Configuration:

    Ensure that your Azure AD Connect configuration is set up correctly and synchronizing properly. The devices and users should be syncing properly between on-premises Active Directory and Azure AD.

    Validate Hybrid Azure AD Join:

    Verify that the devices are actually Hybrid Azure AD Joined. You can do this by checking the device's "Azure AD Join" status in the device settings. It should show as "Hybrid Azure AD joined."

    Network Connectivity:

    Ensure that the devices have proper network connectivity to your on-premises Active Directory domain controllers and that they can communicate with the domain controllers hosting the Group Policy objects.

    DNS Configuration:

    Make sure that the devices are configured to use the correct DNS servers that can resolve your domain's DNS records. DNS issues can prevent devices from locating domain controllers and applying Group Policy settings.

    Group Policy Replication:

    Check if the Group Policy objects are replicating properly between domain controllers. Run the command gpupdate /force on the device to force a Group Policy update and check for any errors in the event logs.

    OU and Security Filtering:

    Ensure that the Hybrid Azure AD Joined devices are located within the appropriate Organizational Units (OUs) where the Group Policy objects are linked. Also, check the security filtering settings of the Group Policy objects to ensure that the devices and users are included.

    Firewall and Proxy Settings:

    If your network uses firewalls or proxies, ensure that they are not blocking communication between the devices and the domain controllers. Necessary ports and endpoints for Active Directory communication should be open.

    I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

  2. justusferris-6862 5 Reputation points
    2024-12-13T07:30:57.5366667+00:00

    In a hybrid Microsoft Cloud environment, managing Group Policy Objects (GPOs) can present unique challenges. Here are some common issues and their potential solutions:

    Azure AD Connect Configuration:

    • Issue: Incorrect or incomplete Azure AD Connect setup can prevent proper synchronization between on-premises Active Directory and Azure AD.
      • Solution: Ensure Azure AD Connect is configured correctly and that all necessary Organizational Units (OUs) are included in the synchronization scope[1].
      Hybrid Azure AD Join:
      - **Issue**: Devices may not be properly hybrid Azure AD joined, leading to GPOs not applying.
      
         - **Solution**: Verify the hybrid join status of devices in the device settings. They should show as "Hybrid Azure AD joined"[[2]](https://learn.microsoft.com/en-us/answers/questions/1342252/domain-group-policy-not-applying-to-hybrid-azure-a).
      
         **Network Connectivity**:
      
            - **Issue**: Devices may have network issues that prevent them from communicating with on-premises domain controllers.
      
               - **Solution**: Ensure devices have proper network connectivity and can reach domain controllers hosting the GPOs[[2]](https://learn.microsoft.com/en-us/answers/questions/1342252/domain-group-policy-not-applying-to-hybrid-azure-a).
      
               **DNS Configuration**:
      
                  - **Issue**: Incorrect DNS settings can prevent devices from locating domain controllers.
      
                     - **Solution**: Configure devices to use the correct DNS servers that can resolve your domain's DNS records[[2]](https://learn.microsoft.com/en-us/answers/questions/1342252/domain-group-policy-not-applying-to-hybrid-azure-a).
      
                     **Group Policy Replication**:
      
                        - **Issue**: GPOs may not replicate properly between domain controllers.
      
                           - **Solution**: Check GPO replication status and run `gpupdate /force` on affected devices to force a policy update[[2]](https://learn.microsoft.com/en-us/answers/questions/1342252/domain-group-policy-not-applying-to-hybrid-azure-a).
      
                           **Policy Conflicts**:
      
                              - **Issue**: Conflicts between local and domain-level GPOs can cause policies not to apply as expected.
      
                                 - **Solution**: Review and resolve any conflicts between local and domain-level policies[[2]](https://learn.microsoft.com/en-us/answers/questions/1342252/domain-group-policy-not-applying-to-hybrid-azure-a).
      
                                 **Intune Integration**:
      
                                    - **Issue**: Devices enrolled in Intune may have conflicts with domain GPOs.
      
                                       - **Solution**: Ensure that Intune policies do not override or conflict with domain GPOs[[2]](https://learn.microsoft.com/en-us/answers/questions/1342252/domain-group-policy-not-applying-to-hybrid-azure-a).
      

    These steps should help you troubleshoot and resolve common GPO issues in a hybrid environment.

    References

    [1] Troubleshooting hybrid Azure AD errors during Windows 365 Cloud PC ...

    [2] Domain Group Policy not applying to Hybrid Azure AD Joined devices.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.