Exam MD-101 topic 4 question 32 discussion

Seeing this: This user is not allowed to enroll. Error 0x801c0003: "This user is not allowed to enroll. You can try again or contact your system administrator with the error code 801c0003." Cause: The Users may join devices to Azure AD setting is set to None. It prevents new users from joining their devices to Azure AD. Therefore Intune enrollment fails. Resolution Sign in to the Azure portal as administrator. Go to Azure Active Directory > Devices > Device Settings. Set Users may join devices to Azure AD to All. Enroll the device again. leads me to believe that the answer is B https://docs.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors

Modify the Device settings in Azure AD. Maximum number of devices - This setting enables you to select the maximum number of Azure AD joined or Azure AD registered devices that a user can have in Azure AD. If a user reaches this quota, they are not be able to add additional devices until one or more of the existing devices are removed. The default value is 50. You can increase the value up to 100 and if you enter a value above 100, Azure AD will set it to 100. You can also use Unlimited value to enforce no limit other than existing quota limits. https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal

None are correct today - answer presented before was correct. Modern current answer: Device enrollment managers added from Intune - Device Enrollment > Enroll Device > Device enrollment managers Users added here can enroll 1000 computers.

B seems correct to me. Assuming the administrator is the one who is enrolling devices to azure we can put him in a group and assign that group in Azure > Device Settings.

The cause The person receives the error, because he or she has reached the limit of maximum allowed devices to Azure AD Join. By default, Azure Active Directory enforces a limit of 20 devices for any user object to join. It even enforces this limit on privileged users, like users with the Global Admin role (Admin1) https://dirteam.com/sander/2018/03/20/knowledgebase-you-receive-error-801c0003-when-you-try-to-azure-ad-join-a-device-during-the-out-of-the-box-experience-oobe/

increase the device enrollment limit under devices enrollment restriction

https://systemcenterdudes.com/intune-error-0x801c003-this-user-is-not-authorized-to-enroll/

https://docs.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors

B is correct, it's possible to increase the number here : Maximum number of device per user. and it can be also done under intune ( under Enrollement restriction > Device limit restriction)

The given answer I correct. I checked it myself. In AAD you go to Devices>Device settings> Maximum number of devices per user and choose the number you want to set.

I don't think the options you are given are very useful if you want to apply the principle of least privilige. Microsoft gives the solution to increase the device limit in Endpoint through Devices > Enrollment restrictions > Default (under Device limit restrictions) > Properties > Edit (next to Device limit) > increase the Device limit (maximum 15)> Review + Save. Source: https://docs.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors The only problem is that it gives all users the same limit to register devices. Wouldn't a device enrollment manager account be the better option (so modify the user)?

Wouldn't C. Assign the Cloud device administrator role to Admin1. be the correct answer?

the question led me to believe that the user had maxed out their total # of enrollments (15). isn't the goal to modify the user so they can continue to enroll?