Questions[microsoft-intune](server)

I have a bit of a weird situation, already contacted Microsoft support, but hoping sages here know something. We are planning a change of UPN for our 700+ users. We are in the process of testing what consequences this will bring. ( I know, a lot! :) )

Here is the test case:

I changed the UPN of a test user in the local AD, and synced it to AzureAD with AzureADConnect. I then checked that the user contains no references to the OLD upn. I then tried to use roll out an intune device for this user (Both an iPad and an Android device).

Intune seems in both cases to dig up the old UPN from somewhere for these fresh/new devices. Android device actually gets stuck in a loop because the old UPN is used for authentication while that obviously no longer works. The iPad seems to work, but any certificate i deploy on the device seems to contain the old username + UPN...

I want to make sure that a user in our domain [email protected] does not login to a device that has been assigned to [email protected]. I have created a configuration profile but not sure what the settings should be and the string value to be for such kind of situation.

Any suggestions and answer would be appreciated.

I am trying to improve our exposure score on Microsoft Defender and noted that "Block persistence through WMI event subscription" has a remediation which Ive already applied since almost a month now.

Remediation:

• Ensure that Microsoft Defender Antivirus is turned on as the primary antivirus solution, with Real-Time Protection enabled. (checked and applied given the 0 exposed devices, and 0 impact)

• Enable this ASR rule in Block mode using Group Policy (done)

However, despite the attack surface reduction rule blocking persistence through WMI event subscriptions as reported on MEM (endpoint manager/intune),

it just doesnt seem to be really syncing with the remediation on Microsoft defender. The impact appears to have remained the same, and even my PC, despite the latest updates, appears to still reflect as an exposed device.

Win32 app uses bat file to install software and edit registry keys. Registry keys are modified if I run bat file locally but not when run through via Intune because Intune runs installation as System.

I created a PowerShell script that works when run locally but if I use Intune registry keys are not modified.

How can I edit registry keys via Intune?

Intune PowerShell scripts Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name 'AutoAdminLogon' -Value 0

Win32 app bat file reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoAdminLogon" /t REG_SZ /d "" /f

I'm seeing conflicting suggestions from MS about whether to use MDM or Intune. One says to use MDM when possible despite Intune having more features.

https://docs.microsoft.com/en-us/intune/pc-management-comparison

https://support.office.com/en-us/article/choose-between-mdm-for-office-365-and-microsoft-intune-c93d9ab9-efb2-4349-9b93-30c30562ee22

I'm leaning towards Intune, since we aren't close to having 7000 devices. Aside from cost, what are the reasons to go with one or the other?