Hello,
yea I tried that, but it does no good.
Example. We have a user named John Smith, and AD domain is Contoso. His account name would be something like Contoso\josm.
At the same time his email address is John.Smith@contoso.com.
Normally the UPN in AD would be josm (account name), now they have changed it to email address john.smith@contoso.com
The issued user certificate now have alternative subject name john.smith@contoso.com, and this will be the username I see the computer tries to authenticate with through EAP-TLS. Now I can strip the domain, and be left with john.smith, but AD still don't know any account named john.smith, it knows about josm, or contoso\josm.
To me it looks like a bad idea to change the UPN, since any solution using certificates as user authentication towards AD would face the same issue. Unless there is a way to use the sAMAccount as SAN field through the certificate template.