I am testing the deployment of Hybrid Azure AD Join in a federated domain to 32k users. We want to limit the rollout to only Windows 10 version 1909 (latest) and later. I know that we can use the Controlled Validation option that Microsoft describes by deleting the SCP in AD and applying the registry values. Our issue with the GPO option is that we have found that users on VPN are not always receiving GPO adn is not a reliable method. AS an alternative, is it possible to modify the ADFS claims rules to only allow version 1909 and above and control access that way?