Jump to content


anyweb

Troubleshooting “Something went wrong error 801c0003” during enrollment via Windows AutoPilot and Microsoft Intune

Recommended Posts

Introduction

Yesterday I needed to deploy a new Windows 10 version 1709 Virtual Machine using Windows AutoPilot, with a user that did not have Administrative permissions on that Virtual Machine, so I created the profile in Windows AutoPilot in the Microsoft Store for Business and reset my virtual machine.

After working my way through the Windows AutoPilot OOBE (out of box experience) screens, I was presented with a “Something went wrong” error shown below.

something-went-wrong.png

 

Quote

This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code 801c0003.

 

This error can occur just after entering your password and should be the point where the device is setup and auto enrolled into MDM (if you have that option enabled and have Azure AD Premium).

I decided to document the things I needed to check in order to resolve the issue to help others with the same problem. Thanks go to Per Larsen for pointing me in the right direction.

Step 1. Check that the user has the correct license requirements

For Auto-enrollment into MDM you need an Azure Ad Premium license, so I wanted to verify that the user in question was licensed appropriately. To do so, open https://portal.azure.com and open the Intune service, click on Users and select the username you wish to verify. The username used for this blog post was wipuser@windowsnoob.com.

Next, click on Licenses in the left column. The Licenses available to the user are shown on the right blade along with a count of Enabled services.

Licenses.png

To drill down further, click on the Enterprise Mobility + Security E5 license. Details of the services enabled within that license are shown.

services.png

So based on the above, you can see that the user is licensed for Azure AD Premium and Intune A direct so this is not a licensing issue.

Step 2. Check the Device limit setting in Azure AD

Note: Azure AD maximum devices controls Azure AD device registration, not MDM enrollment. Azure AD registration and MDM enrollment are two separate features controlled by two separate products. Not every MDM enrollment requires Azure AD registration and vice-versa. That said Windows AutoPilot does require Azure AD join, so it's a good idea to verify this setting prior to continuing your troubleshooting.

You can set a limit on the number of devices users can enroll, to verify the current setting open the Azure Active Directory service and click on Devices then click on Device Settings. Look at the value stored in Maximum number of devices per user.

max-number-of-devices.png

The value is 20 which is an adequate number of devices that the user can have in Azure.

Step 3. Check the number of devices the user has already enrolled

Next, you should verify the number of devices the user in question has enrolled already. To do so, in the Intune service click on Users, select the username and then click on Devices.

devices.png

As you can see the user has already enrolled one device, and it’s well below the 20 max limit so you can determine that is not the issue.

Step 4. Check if the user is in scope for MDM

Next, verify that the user is actually in scope for MDM. To do so, in Azure Active Directory click on Mobility (MDM and MAM), select Microsoft Intune.

mdm-user-scope.png

In this example you can see that the MDM scope is set to Some, and that includes the following User Group All Windows Device Users. So next you need to verify that the user is in that User Group. And to do that in the Intune service click on Groups, then All Groups, select the group in question and search or locate your user in that group.

user-is-in-scope-user-group.png

And the user is present in the group so that is not the issue.

Step 5. Check if the user is in scope for Azure AD Join

To verify that the user can join devices into Azure AD,  open the Azure Active Directory service and click on Devices then click on Device Settings. Look at the value stored in Users may join devices to Azure AD, it can be one of the following three options

  • All
  • Selected
  • None

In this example it is Selected and the User Group in question can be viewed by clicking on 1 member selected.

selected.png

The user group in this example is called Allowed Azure Ad Join.

azure-ad-join-devices.png

By clicking on the user group and then clicking on Members you can see what users are in that user group.

user-is-missing.png

From the above you can see that the user is NOT in this user group.

To resolve the ‘something went wrong’ error,  click on +Add members and select the user in question, then click on Try again on the Windows device.

Step 6. Check for Enrollment restrictions

In the Intune service click on Device Enrollment, then enrollment Restrictions and look at the settings for Device Limit Restrictions.

device-limit-restrictions.png

In this case it's 15 which is more than the user has listed under their Devices. You can also review the Device Type restrictions however the Windows operating system is not listed as of 2017/1/16.

Summary

Sometimes when things go wrong and you get a message that tells you what the problem is, requires you to do some digging and verification in order to resolve. There may be other things that can generate the above error, if so let me know and I’ll add them.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...