Troubleshooting “Something went wrong error 801c0003” during enrollment via Windows AutoPilot and Microsoft Intune

Posted on January 16, 2018 by ncbrady

Introduction

Yesterday I needed to deploy a new Windows 10 version 1709 Virtual Machine using Windows AutoPilot, with a user that did not have Administrative permissions on that Virtual Machine, so I created the profile in Windows AutoPilot in the Microsoft Store for Business and reset my virtual machine.

After working my way through the Windows AutoPilot OOBE (out of box experience) screens, I was presented with a “Something went wrong” error shown below.

This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code 801c0003.

This error can occur just after entering your password and should be the point where the device is setup and auto enrolled into MDM (if you have that option enabled and have Azure AD Premium).

I decided to document the things I needed to check in order to resolve the issue to help others with the same problem. Thanks go to Per Larsen for pointing me in the right direction.

Step 1. Check that the user has the correct license requirements

For Auto-enrollment into MDM you need an Azure Ad Premium license, so I wanted to verify that the user in question was licensed appropriately. To do so, open https://portal.azure.com and open the Intune service, click on Users and select the username you wish to verify. The username used for this blog post was wipuser@windowsnoob.com.

Next, click on Licenses in the left column. The Licenses available to the user are shown on the right blade along with a count of Enabled services.

To drill down further, click on the Enterprise Mobility + Security E5 license. Details of the services enabled within that license are shown.

So based on the above, you can see that the user is licensed for Azure AD Premium and Intune A direct so this is not a licensing issue.

Step 2. Check the Device limit setting in Azure AD

You can set a limit on the number of devices users can enroll, to verify the current setting open the Azure Active Directory service and click on Devices then click on Device Settings. Look at the value stored in Maximum number of devices per user.

The value is 20 which is an adequate number of devices that the user can have in Azure.

Step 3. Check the number of devices the user has already enrolled

Next, you should verify the number of devices the user in question has enrolled already. To do so, in the Intune service click on Users, select the username and then click on Devices.

As you can see the user has already enrolled one device, and it’s well below the 20 max limit so you can determine that is not the issue.

Step 4. Check if the user is in scope for MDM

Next, verify that the user is actually in scope for MDM. To do so, in Azure Active Directory click on Mobility (MDM and MAM), select Microsoft Intune.

In this example you can see that the MDM scope is set to Some, and that includes the following User Group All Windows Device Users. So next you need to verify that the user is in that User Group. And to do that in the Intune service click on Groups, then All Groups, select the group in question and search or locate your user in that group.

And the user is present in the group so that is not the issue.

Step 5. Check if the user is in scope for Azure AD Join

To verify that the user can join devices into Azure AD,  open the Azure Active Directory service and click on Devices then click on Device Settings. Look at the value stored in Users may join devices to Azure AD, it can be one of the following three options

  • All
  • Selected
  • None

In this example it is Selected and the User Group in question can be viewed by clicking on 1 member selected.

The user group in this example is called Allowed Azure Ad Join.

By clicking on the user group and then clicking on Members you can see what users are in that user group.

From the above you can see that the user is NOT in this user group.

To resolve the ‘something went wrong’ error,  click on +Add members and select the user in question, then click on Try again on the Windows device.

Step 6. Check for Enrollment restrictions

In the Intune service click on Device Enrollment, then enrollment Restrictions and look at the settings for Device Limits.

You can also review the Device Type restrictions however the Windows operating system is not listed as of 2017/1/16.

Summary

Sometimes when things go wrong and you get a message that tells you what the problem is, requires you to do some digging and verification in order to resolve. There may be other things that can generate the above error, if so let me know and I’ll add them.

This entry was posted in Windows AutoPilot. Bookmark the permalink.

One Response to Troubleshooting “Something went wrong error 801c0003” during enrollment via Windows AutoPilot and Microsoft Intune

  1. alvida says:
    August 13, 2019 at 2:23 pm

    Lovely article. Well thought through and easy to follow.

    I had tried a number of things already but point 5 about the scope for Azure AD Join worked for me. I had been trying various things for the past 3 hours. Thank you for documenting your thought process and findings.

    Best regards
    AlViDA

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.