<# REMEDIATION SCRIPT Fixes Intune MDM enrollment entries where the UPN domain does not match $targetDomain. Creates a one time backup in UPN_OldBackup and UPN_OldBackupTimestamp. #> [CmdletBinding()] param() $targetDomain = 'patchmypc.com' # change if needed $baseKey = 'HKLM:\SOFTWARE\Microsoft\Enrollments' $now = Get-Date $changes = @() Get-ChildItem -Path $baseKey -ErrorAction SilentlyContinue | ForEach-Object { $keyPath = $_.PsPath $props = Get-ItemProperty -Path $keyPath -ErrorAction SilentlyContinue if ($props.ProviderID -ne 'MS DM Server') { return } $upn = $props.UPN if ([string]::IsNullOrWhiteSpace($upn)) { return } if ($upn -notlike '*@*') { return } $user, $domain = $upn.Split('@', 2) if (-not $domain -or $domain -eq $targetDomain) { return } $newUpn = "$user@$targetDomain" try { # backup once $backupName = 'UPN_OldBackup' $backupExists = (Get-ItemProperty -Path $keyPath -Name $backupName -ErrorAction SilentlyContinue).$backupName if (-not $backupExists) { New-ItemProperty -Path $keyPath -Name $backupName -Value $upn -PropertyType String -Force | Out-Null New-ItemProperty -Path $keyPath -Name 'UPN_OldBackupTimestamp' -Value $now.ToString('s') -PropertyType String -Force | Out-Null } Set-ItemProperty -Path $keyPath -Name 'UPN' -Value $newUpn -Force $changes += [pscustomobject]@{ EnrollmentId = $_.PSChildName KeyPath = $keyPath OldUPN = $upn NewUPN = $newUpn Status = 'Updated' } } catch { $changes += [pscustomobject]@{ EnrollmentId = $_.PSChildName KeyPath = $keyPath OldUPN = $upn NewUPN = $newUpn Status = "Failed: $($_.Exception.Message)" } } } if ($changes.Count -gt 0) { Write-Output "Processed UPN mismatches under $baseKey" $changes | Format-Table -AutoSize | Out-String | Write-Output } else { Write-Output "No UPN changes required under $baseKey" } exit 0