prevent remote laptops from time drifting from on premise time servers?

How much precision is needed?  Is two or three seconds sufficient?  If it is, have the systems do a time synchronization in the startup group, then resync every four hours.

(The resync in the startup group is required because otherwise it might be as much as 4 hours before the system resyncs automatically.)

w32tm /resync

Select allOpen in new window

"The polling interval that Windows Time uses is set by the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

If the value of the NtpServer entry in this subkey contains 0x1, Windows Time uses SpecialPollInterval as the polling interval. Otherwise, Windows Time uses MinPollInterval/MaxPollInterval."

1-2 minutes is fine. The main issue is DUO will not allow login if the time is more than 6-8 minutes off. So having something process in login may not work if the time has already drifted. Also the resync will not work if the time server is my on premise server and they are remote and have not connected to the vpn yet. Or at least that is how i understand it. I appreciate your input and will give these a try.

A domain joined client will by default only sync its time with one of its domain controllers.
One possibility to change that: create a GPO for the laptops.
Computer Configuration\Policies\Administrative Templates\System\Windows Time Service\Time providers, "Configure Windows NTP client".
Set "NtpServer" to the time server of your choice, and "Type" to "AllSync". This will use NT5DS if a DC is available, and the NTP server configured if no DC is available.
Obviously requires that your DCs have the exact time as well.
The machines must be connected long enough to the VPN for the GPOs to apply (which may take up to 90 minutes).
Alternatively, your users can run the following command to update the policies immediately:

gpupdate.exe /target:computer /force

Select allOpen in new window

If your users are local administrators, they can do it locally if you don't want to roll out a new GPO:

w32tm.exe /config /update /manualpeerlist:"time.windows.com,0x9" /syncfromflags:ALL
w32tm.exe /resync /rediscover

Select allOpen in new window

Thank you. I have this GPO applied at the domain level and linked to my OUs with laptops in them. I originally had it set as "TYPE" NT5DS. I changed it to ALLSYNC per your suggestion. Let's see what it does. Thank you for taking the time to assist.

You should use 0x9 as flags for the time server instead of 0x1. Not using client mode may fail depending on the OS, the time server, and air humidity.
0x01 SpecialInterval
0x02 UseAsFallbackOnly
0x04 SymmetricActive
0x08 Client

Windows Time service tools and settings > "HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters" subkey entries
https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings#parameters

unfortunately neither of the above recommendations were able to resolve the issue. 

Could it be that the clients are currently in a deadlock? They need the GPO to get the correct system time, but they need the correct system time to get the GPO?
Are your users local administrators or have the SeSystemtimePrivilege? Then they might have to set the correct time once, connect the VPN, and update the GPO. From then on, it should work (I know for certain that the AllSync setting works).
What are the results of (requires elevation):

w32tm.exe /resync /rediscover

Select allOpen in new window

Thank you. I am testing with a system that is off the network and I connect it to the vpn to test. It shows my last time sync is to the local on premise server. Then I disconnect from the vpn. When i resync the time via cmd i get an error No Time Data Available. When i run gpresult, it appears the GP is not applying. So I think my bigger issue is why the gp is not applying.

Did you run "gpupdate.exe /target:computer /force" after connecting to the VPN?

I updated GP, stayed connected to VPN while I logged off and back on. Ran resync and it worked but it synced with the on premise server. I then disconnected from the vpn, waited several minutes and get the same no data available error.

Did you verify that the config arrived?
"Type" in "HKLM\SOFTWARE\Policies\Microsoft\W32time\Parameters" should now be "AllSync".

This is on my test system. The only thing is this is not what i set the time server to be. I am also still getting the error when resyncing if I am not connected to the vpn.

Verify the settings under "HKLM\SOFTWARE\Policies\Microsoft\W32time\Parameters" - these have priority over the settings under Services.