Subject: Best Practices for Aligning UPNs in Hybrid Entra ID + Intune Environment

chrisgleason78​ I think you're on the right track for the UPNs having to match. I have never experienced any issues with changing the UPN on-prem to match the UPN in Entra ID, but if you're worried, I suggest going through the process with a test user, or maybe even a group of tech-savvy users who can report any issues back to you. 

A powershell script can help with bulk changing the UPN, I recommend getting a report, maybe CSV export first to get an overview. Also, if the changing of the UPN would cause any issues, you can simply change it back again with this export.

The device enrollment issues though; I can't say. If for example some users with mismatched UPNs are not experiencing any issues and some are, this might not be the cause. Maybe something related with network connectivity / firewall or rather: licensing, especially Intune license assignments. But for troubleshooting such a specific gpo enrollment issue, I would try to reproduce the issue and use the event viewer, which is also outlined here: https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-enrollment/troubleshoot-windows-auto-enrollment