I had a DC crash and we lost everything. I've rebuilt the on prem domain using a new name, configured Azure AD and re-added my users. They are tied to their o365 account licenses. Today I tried to rejoin test PCs to the new domain. I used the local admin account to leave the old domain and joining our new "superhappyfuntime" domain.

I have set a very simple GPO to control the lock screen image and disable spotlight ads from microsoft. I've also set a password policy that conforms to complexity and password age as per Corp requirements. I have also disabled cloud content and the cloud "experience" Machines in a domain should not be loading Disney , Microsoft TV & Movies, Games and other malware. These simple policies are attached to the default domain policy of the on prem AD. No other GPO have been defined. The server does not have a local GPO. The workstation does not have a local GPO.

The policy is being ignored. The win 11 test machines that I have moved from the dead domain to the new one are now infested with the cloud experience, including trials for Office and Adobe products. Prior to adding it to the new domain, the workstation was devoid of Microsoft malware for kiddies. After joining the domain, I'm prompted to reboot. On reboot, Win 11 is doing updates to push the unwanted material.

Does anyone have any ideas on why Win 11 is ignoring GPO and filling up these machines? They have a 120GB drive and after the "updates" of games and forced adds, I am left with less than 5GB free disk space. My users store everything on one drive.