I'm in the process of migrating our devices to be Entra only, and we plan to decommission our on-prem DCs. We're reimaging devices for Entra joining and using an RMM tool for policy deployment. However, users still exist on the on-prem DCs, and we're using ADConnect to sync them over to Entra until the decommissioning is complete.
Here's what surprised me: We had a Group Policy set on our on-prem DCs to adjust some Google Chrome settings. To my surprise, the policy seemed not to apply to our domain-joined machines, but once I reimaged a device and logged it in as an Entra device, the policy worked perfectly.
This confused me because I thought that without being domain-joined and without an AD record, no policies would apply. Can someone explain why this seems to work for user context policies assigned to Auth Users?
4 Answers
How are you reimaging the devices? Are you using a bootable medium or resetting them? If you're resetting, check this out: some settings might persist after using Windows Reset.
Have you tried deleting the registry.pol file and running gpupdate? What does gpresult /h show for you? I'm curious if the policy still appears after that.
I’ll check that on the next completed image. It's not a big issue for us right now since I can disable the policy, but I’m just trying to wrap my head around how GP works for these Entra Joined devices.
Quick question: Can you see the device in your domain?
No, it's joined to WORKGROUP. The users are using Cloud Auth too, so they're not hitting our DC for authentication.
It's a good question! Generally, if a device isn't domain-joined to your on-prem AD, it shouldn't process any Group Policies. While that's typically the case for Computer Configuration policies, User Configuration policies can still apply, especially since your users are synced from the on-prem AD to Entra ID.
Interesting point! I’m resetting them with Cloud Download. So far, I haven't noticed any leftover data or Windows.old folders.