Catherine is correct. But...there are multiple ways to do the same thing. Hopefully I can add a few ways of doing the same thing...I only have 5 years of Intune experience.
- Do I need a direct connection to the domain either via VPN or in an office for this policy to work in a Hybrid Azure AD environment? In a Hybrid Environment you can still set Control Policy Conflict...MDMwinoverGPO to No. GPO will win until you go full entra joined.
- How often does the policy run? Can that be modified?
8 Hours, there are a few ways to modify...
First, you can also restart the Windows Intune Extension Service in Services.msc,
Second, in the Intune console you can run a sync when you select the device,
Third, users can run a sync through the instructions Catherine provided.
Finally, if you want all machines to run a sync at the same time, restart the service using a script I am sure you know how to write.
- While the GPO would instantly correct the members of the Administrators group, I am not seeing that with this policy. What is the expectation using this policy as my guess at this point is things happen once and that is it or they happen when the policy has accounts added, but not deleted.
You can create a custom ORA-URI. Custom GPO's. Very powerful, make sure you test.
https://video2.skills-academy.com/en-us/mem/intune/configuration/custom-settings-windows-10
https://video2.skills-academy.com/en-us/mem/intune/configuration/custom-settings-windows-10
If you set ControlPolicyConflicts to allow GPO to win...this might not be necessary.
- Is a Proactive remediation PowerShell better suited for what i am trying to do?
No, do not manage the local administrator groups through Proactive Remediations in Intune. You can use Proactive Remediations as the detection/remediation layer for any machine missing users in the admin group. You should deploy both.
If you need to remove a user/group, Proactive Remediations is always the "last layer", not the managed option.