P3 · Microsoft 365 & Collaboration

OneDrive Sync and M365 Authentication Failure — Sync Client Reset, KFM Policy, and AppLocker Block

OneDrive for Business sync clients on enterprise Windows endpoints fail to sync, stall in 'Uploading' or 'Processing changes' state, or repeatedly prompt for M365 credentials. Root causes include expired authentication tokens blocked by Conditional Access, corrupted local sync databases, Known Folder Move (KFM) Group Policy misconfiguration, proxy/VPN blocking Microsoft 365 endpoints, or AppLocker/WDAC policies blocking OneDrive executables (OneDrive.exe, FileCoAuth.exe). Resolution follows a structured path: verify connectivity and licensing, inspect SyncDiagnostics.log and Event Viewer, reset or re-link the OneDrive client, clear stale Credential Manager tokens, and correct KFM or security baseline policy as needed.

Indicators

OneDrive system tray icon shows red X or persistent 'Paused' state with no self-recovery
Files indefinitely stuck in 'Uploading' or 'Processing changes' state in the OneDrive folder
Microsoft 365 apps (Outlook, Word, Teams) repeatedly prompting for sign-in credentials
OneDrive banner error: 'There was a problem connecting to OneDrive' or 'We couldn't sign you in'
User unable to open or save files to OneDrive-backed SharePoint document libraries
Event ID 1000 in Application event log with OneDrive.exe as the faulting application
AppLocker EXE/DLL log showing block events for OneDrive.exe or FileCoAuth.exe

Likely causes

Authentication token expiration or Conditional Access policy blocking the OneDrive sync client identity
Corrupted OneDrive local sync database or account cache requiring client reset
Known Folder Move (KFM) Group Policy misconfiguration causing Desktop/Documents/Pictures redirect failures
Proxy, firewall, or VPN split-tunnel misconfiguration blocking required Microsoft 365 endpoints (*.sharepoint.com, *.onedrive.com) on TCP 443
AppLocker or Windows Defender Application Control (WDAC) policy blocking OneDrive executables after a client version update
Missing or suspended Microsoft 365 license preventing the user account from accessing OneDrive for Business storage

Diagnostic steps

Check OneDrive client version: right-click the OneDrive system tray icon > Settings > About. Note the build number and compare against the current production release at https://support.microsoft.com/en-us/office/onedrive-release-notes-845dcf18-f921-435e-bf28-4e24b95e5fc0.

Determines whether a known-buggy or outdated OneDrive client version is the cause of the failure before investing time in account or policy-level diagnosis.
Review OneDrive sync diagnostic logs: navigate to %localappdata%\Microsoft\OneDrive\logs\ and open SyncDiagnostics.log and the most recent .odl files. Search for ERROR or FAIL strings.

Surfaces authentication failures, file conflict errors, and sync engine errors not exposed in the UI — pinpoints whether the fault is auth, network, or file-level.
Test network reachability to M365 endpoints from the affected machine using PowerShell: Test-NetConnection -ComputerName <tenant>.sharepoint.com -Port 443 and Test-NetConnection -ComputerName onedrive.com -Port 443. Both should return TcpTestSucceeded: True.

Confirms whether proxy, firewall, or VPN split-tunnel configuration is blocking OneDrive traffic — a separate but commonly co-occurring failure mode.
Check Event Viewer for OneDrive errors and crashes: Application and Services Logs > Microsoft > Windows > OneDrive (for sync events), and Application log for Event ID 1000 with OneDrive.exe as the faulting application.

Identifies OS-recorded application crashes, identity/token errors, and policy enforcement blocks that confirm root cause before attempting reset.
Check AppLocker event log for policy blocks on OneDrive executables: Event Viewer > Applications and Services Logs > Microsoft > Windows > AppLocker > EXE and DLL. Look for block events against OneDrive.exe or FileCoAuth.exe.

Security baseline and app-blocking policies that block updated OneDrive executable versions are a known failure mode — confirms before creating allow-rule exceptions.
Run the Microsoft Support and Recovery Assistant (SaRA) for OneDrive: download from https://aka.ms/SaRA and select the OneDrive scenario. Review the output report for account configuration issues, KFM status, and connectivity check results.

Automates common diagnostic checks including account validity, KFM policy state, and endpoint reachability — reduces manual investigation time significantly.

Resolution path

1. Reset the OneDrive sync client: close OneDrive from the system tray (right-click > Close OneDrive), then run: %localappdata%\Microsoft\OneDrive\onedrive.exe /reset. Wait 2 minutes, then manually relaunch OneDrive from Start or by running the same path without /reset. This clears the local sync database without deleting cloud files.
2. If the reset does not resolve the issue, unlink and re-link the account: OneDrive tray icon > Settings > Account > Unlink this PC. Sign back in with the user's Microsoft 365 credentials and reconfigure which folders to sync.
3. If authentication is identified as the root cause (repeated credential prompts, auth errors in SyncDiagnostics.log), clear stale tokens from Windows Credential Manager: Control Panel > Credential Manager > Windows Credentials. Remove all entries containing 'MicrosoftOffice', 'OneDrive', or the tenant domain name. Then relaunch OneDrive and sign in fresh.
4. For Known Folder Move failures, verify or reapply KFM Group Policy: User Configuration > Administrative Templates > OneDrive > 'Silently move Windows known folders to OneDrive'. Confirm the policy is scoped to the correct Tenant ID (available from Entra ID admin centre > Overview). Gpupdate /force on the affected machine to reapply.
5. If AppLocker or WDAC is blocking OneDrive components, add publisher-based allow rules for Microsoft-signed OneDrive executables (OneDrive.exe, FileCoAuth.exe). Alternatively, place the machine temporarily in AppLocker audit mode to confirm the block is active before creating the exception. Do not disable WDAC/AppLocker globally.

Prevention

Explicitly allow OneDrive and SharePoint service URLs and IP ranges (Microsoft 365 'Optimize' and 'Allow' categories) in proxy and firewall allow-lists. Configure VPN split-tunnelling to exclude category 'Optimize' M365 endpoints per https://learn.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-network-connectivity-principles.
Audit AppLocker and WDAC publisher rules every time a new OneDrive client version ships — updated executables or new helper processes (e.g., FileCoAuth.exe) introduced by client updates may not match existing allow rules.
Enrol a subset of endpoints in the OneDrive Insider ring before production ring updates to catch client regressions before widespread rollout.
Monitor OneDrive sync health at scale via Microsoft 365 admin centre > Reports > OneDrive usage and the OneDrive sync health dashboard (requires Entra ID P1 or higher) to detect silent sync failures before users report them.

Tools

Microsoft Support and Recovery Assistant (SaRA) — automated OneDrive and M365 diagnostics (https://aka.ms/SaRA)
OneDrive reset switch (/reset) — clears local sync database without deleting cloud files
Windows Credential Manager — removes stale M365 authentication tokens
Event Viewer — review OneDrive, AppLocker/WDAC, and Application logs
Test-NetConnection (PowerShell) — verifies network reachability to M365 endpoints
Group Policy Management Console (GPMC) — review and modify OneDrive KFM policies

References

M365OneDrivesyncKFMKnown Folder MoveauthenticationConditional AccessAppLockerWDACWindowsenterprisetriageSharePointcredential-managerproxyVPN