** DC needs to know the client IP for kerberos to work and would assume same requirements here. Can someone please confirm or negate my suspicions. ?**
I confirm that the DC needs to know the client IP to identify its subnet and the closest domain controller for authentication and GPO.
The network flow should be opened between the client and domain controller to apply GPOs.
Please don't forget to mark helpful reply as answer