Forum Discussion
Hybrid AAD - Intune feature upgrade - security gap before GPO will be applied when no AD connectivit
Hello,
I am looking for a way to be sure that there will be no security gap\bridge in the following scenario: there are windows 10 machines which are hybrid domain join - both AD and Azure connected managed by Intune and GPO. There is still a lot of security settings configured by GPO (not configured in Intune at all). We plan to use Intune feature upgrade to perform upgrade to Windows 11. It can happen for users which are working from home that they will receive Intune feature upgrade and will be upgraded to windows 11. After this as they are working from home if no VPN is established there is no AD connectivity so GPO will not be applied. This can lead to missing security configuration (which is done via GPO) and security bridge. Is there any way to handle it (except creating all GPO settings in Intune)?
GPO's are already applied to the device before the upgrade right? Why do you need to receive them after the upgrade, are there any Win11 specifics? Not sure if I follow you here.
If you need to receive the GPO's, when not on the internal network, than indeed only option is to Tunnel the device to the internal network (VPN) or get the setting over the internet via MDM, there is no alternative..
These GPOs are not only specific for win11, e.g. there is a configuration of local admin account or startup of OS services etc.
Plus one more question: will user be able to login at all to new OS without line of sight to AD DC?
