Windows server 2019 Active Directory GPO's blocked by Windows 10 firewall when forced from the serve

There are two separate issues here. Are the clients getting the GPOs and can you force a GPO update of the client from the server.

The clients should get the GPOs applied according to the normal GPO processing methodology:

https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/, https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/15/group-policy-basics-part-2-understanding-which-gpos-to-apply/, https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/22/group-policy-basics-part-3-how-clients-process-gpos/

Assuming the clients are getting the policies applied through the normal mechanisms, the second issue is whether or not you can force a GPO update from the server. In order to allow the Windows 10 workstation to receive the command from the server, Windows Remote Management needs to be enabled in the workstation (Windows Remote management is enabled by default in the server OS but not in the workstation OS).

The easiest way to do this is to create the starter GPOs in the Group Policy Management Console in the server. There is a starter GPO that enables remote management that you can link to the OU that contains the client systems. Allow that GPO to apply (or trigger it locally on the workstation) and then reboot the workstation. You should then be able to force additional GPO's to apply from the server.

Hope this helps.

Ed Gallagher, MVP