KnowledgeBase: You receive error 801c0003 when you try to Azure AD Join a device during the Out-of-the-Box Experience (OOBE)

Sometimes, error codes for Microsoft products and technologies are really straightforward. Especially in situations where you have limited to no troubleshooting options, like the Windows Out-of-the-Box Experience (OOBE), this might prove difficult to solve.

Today, let’s look at one of the most common errors you might encounter when you try to Azure AD Join a Windows 10-based device:

Something went wrong. This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code 801c0003 (click for original screenshot)

 

The situation

For any organization using an Azure Active Directory tenant, Azure AD Join is enabled by default. This functionality allows your users to designate the Windows installation on devices they trust, as trusted device for single sign-on (SSO). The only thing these users, by default, need is a user object in Azure Active Directory.

Windows 10 offers two built-in methods for users to join their devices to Azure AD:

  1. In the Out-of-the-Box Experience (OOBE)
  2. In the Settings app

In both situations, the user account used for the Azure AD Join gains local administrator privileges, as Azure AD Join is seen as a Bring Your Own Device (BYOD) scenario by Microsoft.

 

The error

When a person tries to register another Windows 10 device to Azure AD using their user account, he or she receives an error stating:

Something went wrong.

This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code 801c0003 (click for original screenshot)

 

The cause

The person receives the error, because he or she has reached the limit of maximum allowed devices to Azure AD Join.

By default, Azure Active Directory enforces a limit of 20 devices for any user object to join. It even enforces this limit on privileged users, like users with the Global Admin role.

This arbitrary value was chosen, because, by default, Azure AD-joined devices are not removed after an idle time-out. It closely resembles the default behavior of the 10-devices limit in Active Directory Domain Services (AD DS) for non-admins, but because Azure AD is at least twice as good as good ol’ AD DS, I guess the team settled on 20.

For organizations using Microsoft Intune and automatic device enrollment, the 20-device limit makes sense, because of the restrictions in licensed devices within Intune licenses assigned to users.

 

The solutions

As an admin, you can prevent the error from occurring in four separate ways:

Disable Azure AD Join

We encounter Azure AD usage like Azure AD Join in many organizations that have simply synchronized objects from Active Directory Domain Services to enable access to Office 365. Their admins would typically have chosen to use Express Settings with Azure AD Connect and go with Azure AD’s default settings, which results in the scenario where every user can use this functionality, but admin oversight.

To disable Azure AD Join, follow these steps:

  • Open your browser and navigate to https://portal.azure.com
  • Sign in with a user account in your Azure Active Directory tenant with at least Global Administrator privileges. Perform multi-factor authentication, when prompted.
  • In the left navigation pane, click Azure Active Directory.
  • In the new pane that emerges, click Devices.
  • In the Devices pane, click Device settings.
  • Select None for the switch labeled Users may join devices to Azure AD. This will apply to all Windows 10-based devices
  • Select None for the switch labeled Users may register their devices with Azure AD. This will also disable Azure-based Workplace Join for iOS and Android devices, as well as legacy Windows versions like Windows 7 and Windows 8.1.
  • Click Save.
  • Close the browser.

This way, as an admin, you don’t have to deal with these settings just yet. Note, however, that the above two switches do not apply to device synchronization in Azure AD Connect.

Make users join their own devices

In other organizations, admins may use their account to Azure AD join devices. This way, they circumvent the default BYOD behavior of local admin rights to the user account belonging to the person joining the device.

Indeed, the admin is the only person with local administrator rights on these devices, but it breaks the model in organizations that (later on decide to) implement Microsoft Intune.

Although every Microsoft feature, product and technology is used in ways that wasn’t envisioned by Microsoft, this is not a feature you want to abuse this way. When you want to leverage Azure AD Join, allow your users to join their devices using their user accounts.

Up the device limit

Of course, you can also up the Azure AD Join device limit. Follow these steps to do so:

  • Open your browser and navigate to https://portal.azure.com
  • Sign in with a user account in your Azure Active Directory tenant with
    at least Global Administrator privileges. Perform multi-factor authentication,
    when prompted.
  • In the left navigation pane, click Azure Active
    Directory
    .
  • In the new pane that emerges, click Devices.
  • In the Devices pane, click Device
    settings
    .
  • Select your favorite number for the value labeled Maximum number of devices per user. Values include 5, 10, 20 ,50, 100 and Unlimited.

Change the Azure AD Join Device Limit (click for the original screenshot)

  • Click Save.
  • Close the browser.

Delete some devices

Another way is to delete some of the devices from Azure AD for the person encountering the error. As there is no way for users to self-manage their Azure AD-joined device, you can channel your inner BOFH and delete some of the devices the person no longer needs(and their associated BitLocker recovery information).

Perform these actions:

  • Open your browser and navigate to https://portal.azure.com
  • Sign in with a user account in your Azure Active Directory tenant with
    at least Global Administrator privileges. Perform multi-factor authentication,
    when prompted.
  • In the left navigation pane, click Azure Active
    Directory
    .
  • In the new pane that emerges, click Devices.
  • Either Search by name from the top bar, or sort the information on devices using the Owner field.
  • Select a device at random of confer with the person on a suitable device. Click on the three little dots on the end of the line for your device of choice. Select Delete from the context-menu.
  • Close the browser.

 

Concluding

As an admin you can help colleagues encountering error 801c0003 when they try to Azure AD Join another device in the Out-of-the-Box Experience (OOBE) in several ways.

Further reading

Managing devices using the Azure portal
Error code 801c0003

One Response to KnowledgeBase: You receive error 801c0003 when you try to Azure AD Join a device during the Out-of-the-Box Experience (OOBE)

  1.  

    Also a common issue and an issue that litteraly could take time to find, correct bios time/date.

leave your comment