Hello @christopher Moriarty ,
Thank you so much for posting here.
Based on our experience, I would give you the following recommendation. Hope helpful to you.
- As we know, when connected via VPN, the client will be distributed a new IP address. And we could configure a new site for this subnet segment. Then make sure that there is no GPO linked to this site.
- When connected to the LAN connection in the office, the client will be in another site according to the configuration of site and subnet. Please make sure that the GPO is linked to this site. Then the GPO will be only pushed here.
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.