Event ID 6065: 80070533 This user can’t sign in because this account is currently disabled

Symptoms
You have enabled Enterprise State Roaming in the Azure Active Directory portal and on some Windows 10 clients. Any supported settings for sync, such as the desktop background or the task bar position, do not sync between devices for the same user. Event ID 6065 is logged in the Microsoft-Windows-SettingSync/Debug event log with the description "80070533 This user can't sign in because this account is currently disabled."

Log Name:      Microsoft-Windows-SettingSync/DebugSource:        Microsoft-Windows-SettingSyncDate: <date and time>Event ID:      6065Task Category: NoneLevel:         ErrorKeywords:      User:          <User SID>Computer: WIN10DESKTOPDescription:shell\roaming\cloudsync\cloudsyncengine\cloudsyncengine.cpp(990)\SettingSyncHost.exe!00007FF701A2A8C2: (caller: 00007FF701A2A3D9) ReturnHr[PreRelease](17) tid(1060) 80070533 This user can't sign in because this account is currently disabled.    CallContext:[\AttemptSyncActivity] 

Cause
The tenant has not been provisioned with the RMSBASIC subscription. This happens automatically when Enterprise State Roaming is enabled in the Azure Active Directory portal and is used to encrypt the synchronized data. If AllowAdHocSubscriptions is set to False on the tenant, this configuration can prevent the tenant from being provisioned with the RMSBASIC subscription.
Resolution

Verify RMSBASIC subscription is enabled on the tenant

  1. Open Powershell and sign in to Azure Active Directory (AAD) using your AAD credentials. The first line will prompt you for your credentials. The second line connects to Azure Active Directory.
    $msolcred = get-credential connect-msolservice -credential $msolcred
  2. Run the following cmdlet to see all the SKUs that the company owns.
    Get-MsolAccountSku 
  3. If RMSBASIC is listed, as in the example output below, you do not need to proceed with the rest of the steps in this article.
AccountSkuIdActiveUnitsWarningUnitsConsumedUnits
-----------------------------------------------------------
tenantname:ENTERPRISEPACK25014
tenantname:INTUNE_A25023
tenantname:AAD_PREMIUM100021
tenantname:RIGHTSMANAGEMENT_ADHOC1000018
tenantname:RMSBASIC1000018


4. If RMSBASIC is not present, as in the example output below, proceed with the steps in the next section.
AccountSkuIdActiveUnitsWarningUnitsConsumedUnits
-----------------------------------------------------------
tenantname:ENTERPRISEPACK25014
tenantname:INTUNE_A25023
tenantname:AAD_PREMIUM100021
tenantname:RIGHTSMANAGEMENT_ADHOC1000018

Verify AllowAdHocSubscriptions is set to "True" on the tenant


The tenant cannot be provisioned with the RMSBASIC subscription if AllowAdHocSubscriptions is set to "False" on the tenant. Use these steps to verify the configuration of AllowAdHocSubscriptions and temporarily set it to "True" to obtain the RMSBASIC subscription.
  1. Open Powershell and sign in to Azure Active Directory (AAD) using your AAD credentials. The first line will prompt you for your credentials. The second line connects to Azure Active Directory.
    $msolcred = get-credential connect-msolservice -credential $msolcred
  2. Run the following cmdlet to determine if your tenant has AllowAdHocSubscriptions set to True or False.
    Get-MsolCompanyInformation | fl AllowAdHocSubscriptions
  3. If AllowAdHocSubscriptions is set to True, you do not need to proceed with rest of the steps. If it is False, you can run the following command to enable AllowAdHocSubscriptions. You can set it back to False in a later step.
    Set-MsolCompanySettings -AllowAdHocSubscriptions $true
  4. In the Azure AD portal, disable and re-enable Enterprise State Roaming. See the Verify USERS MAY SYNC SETTINGS AND ENTERPRISE APP DATA is enabled on the tenant" section, below.
  5. Run the Get-MsolAccountSku cmdlet to see if the RMSBASIC subscription has been added:
    Get-MsolAccountSku

Verify USERS MAY SYNC SETTINGS AND ENTERPRISE APP DATA is enabled on the tenant

After obtaining a Premium Azure AD subscription, follow these steps to enable Enterprise State Roaming:
  1. Log in to the Azure classic portal.
  2. On the left side, select ACTIVE DIRECTORY, and then select the directory for which you want to enable Enterprise State Roaming.
  3. Go to the CONFIGURE tab.
  4. Scroll down the page, look for USERS MAY SYNC SETTINGS AND ENTERPRISE APP DATA, and verify that "ALL" or “SELECTED” is selected.
  5. If “All” or “SELECTED” is already selected, select “None,” save and go back to the previously selected “ALL” or “SELECTED” with the original SG option, and then save again.
For a reference with screenshots, see Enable Enterprise State Roaming in Azure Active Directory.

(Optional) Set AllowAdHocSubscriptions to "False" on the tenant

If you want to set AllowAdHocSubscriptions back to False, use this cmdlet after the RMSBASIC subscription has been provisioned on the tenant:
Set-MsolCompanySettings -AllowAdHocSubscriptions $false



Properties

Article ID: 3193791 - Last Review: 10/15/2016 00:58:00 - Revision: 4.0

Windows 10 Version 1511, Windows 10 Version 1607

  • KB3193791
Feedback