Hello all again,

Just to remind myself, in order to enable GPO remote updates and remote policy logging, the required inbound firewall rules that needed to be enabled on the client are:

For remote policy updates
Remote Scheduled Tasks Management (RPC)
Remote Scheduled Tasks Management (RPC-EPMAP)
Windows Management Instrumentation (WMI-in)
 
For remote policy logging
Remote Event Log Management (NP-in)
Remote Event Log Management (RPC)
Remote Event Log Management (RPC-EPMAP)
Windows Management Instrumentation (WMI-in)
 
TCP RPC port 135, named pipe port 445, and the dynamic ports associated with the endpoint mapper, like always.