Creating a Group Policy that enforces prerequisites before a PC can join the domain requires a combination of Group Policy Objects (GPOs) and conditional logic enforced by scripts, security policies, or network access control (NAC). Unfortunately, GPOs themselves don’t control whether a system can join the domain — that happens before Group Policies are applied.
🔐 Recommended Approach: Enforce via Pre-Join Checks and Network-Level Controls
✅ Step 1: Define Prerequisites
Some common prerequisites:
- Specific OS version (e.g., Windows 10/11 Pro or Enterprise)
- Certain software installed (e.g., antivirus)
- Required security settings (e.g., BitLocker enabled)
- MAC address in allowed list (for corporate devices)
- TPM or Secure Boot enabled
🔒 Step 2: Control Domain Join Using One of These Methods
Option A: Network Access Control (NAC) / DHCP Filtering
Only allow devices meeting policy to access the network where domain controllers reside.
- Use NAC (Cisco ISE, Aruba ClearPass, Microsoft NPS + 802.1X) to enforce:
- OS compliance
- Endpoint health
- Device registration (based on MAC, certificate, etc.)
- Filter by MAC address or issue 802.1X certificates to approved systems only
Option B: Pre-Staging Computers in Active Directory
- In Active Directory Users and Computers (ADUC):
- Pre-create the computer account in a specific OU
- Set permissions so only approved joiners can use it
- Combine with GPO enforced for that OU
Option C: PowerShell Script Validation During Imaging or Deployment
Use a PowerShell script during device imaging or deployment (via MDT/SCCM/Intune/Autopilot) to check for requirements and only join the domain if they are met.
powershell# Sample PowerShell check
if ((Get-WmiObject -Class Win32_OperatingSystem).Caption -match "Windows 11") {
if (Get-BitLockerVolume | Where-Object {$_.ProtectionStatus -eq 1}) {
Add-Computer -DomainName "corp.domain.com" -Credential (Get-Credential) -Restart
} else {
Write-Host "BitLocker not enabled. Aborting domain join."
}
} else {
Write-Host "Unsupported OS version. Aborting domain join."
}
🛡️ Step 3: Group Policy to Enforce Post-Join Compliance
After the system joins the domain, use GPOs to:
- Enforce BitLocker encryption
- Enforce antivirus install and real-time protection
- Restrict access until device meets posture requirements
- Trigger remediation scripts
✅ Bonus: Combine With Intune Conditional Access (Hybrid-Join)
If using Hybrid Azure AD Join, leverage Intune + Conditional Access policies to:
- Block access to resources until compliance policies are met
- Automatically quarantine non-compliant devices
