The OneDrive for Business sign-in error 0x8004de40 prevents users from connecting to their Microsoft 365 account. This error appears repeatedly on managed devices even after the user enters correct credentials. The root cause is typically a corrupted token cache, a misconfigured Conditional Access policy, or a broken Windows credential entry for OneDrive. This article explains why the 0x8004de40 error persists on organization-managed devices and provides the exact steps to resolve it.
Key Takeaways: Fixing OneDrive 0x8004de40 on Managed Devices
- Windows Credential Manager > Windows Credentials > Generic Credentials: Remove all entries that contain “OneDrive Cached Credential” to clear stale tokens.
- OneDrive Settings > Account > Unlink this PC: Resets the sync relationship and forces a fresh authentication request.
- Microsoft 365 admin center > Entra ID > Conditional Access: Verify that device compliance or MFA policies are not blocking token refresh for OneDrive.
Why the 0x8004de40 Error Repeats on Managed Devices
The 0x8004de40 error is a sign-in failure code that indicates OneDrive cannot obtain or refresh an authentication token for the Microsoft 365 tenant. On managed devices joined to Microsoft Entra ID, the error often persists because of three overlapping causes.
First, a corrupted token cache in Windows Credential Manager holds an expired or invalid credential. OneDrive retries the same broken credential instead of requesting a new one. Second, a Conditional Access policy in the tenant requires device compliance, multi-factor authentication, or a specific client app. If the device is out of compliance or the policy is misconfigured, the token refresh fails silently. Third, the OneDrive client itself may have a stale cache file that does not match the current tenant configuration.
On managed devices, Group Policy or Intune settings can also block the automatic repair of OneDrive, causing the error to return after each reboot or network change.
Steps to Clear Credentials and Reset OneDrive Sign-In
The following method removes all cached tokens and forces OneDrive to perform a fresh authentication with your Microsoft 365 tenant.
- Close OneDrive completely
Right-click the OneDrive cloud icon in the system tray and select Settings. In the Settings window, go to the Account tab and click Unlink this PC. Confirm the prompt. Then right-click the OneDrive icon again and select Exit. Verify that no OneDrive process is running in Task Manager. - Open Windows Credential Manager
Press Windows key + R, typecontrol, and press Enter. In Control Panel, set View by to Large icons and click Credential Manager. Select Windows Credentials. - Remove all OneDrive-related generic credentials
Scroll to the Generic Credentials section. Look for entries that contain “OneDrive Cached Credential” or “MicrosoftOffice16_Data:ADAL:”. Click the arrow to expand each entry, then click Remove. Confirm each removal. Do not remove credentials that belong to other Microsoft services unless you know they are safe to delete. - Delete the OneDrive token cache folder
Open File Explorer and paste the following path into the address bar:%localappdata%\Microsoft\OneDrive\settings\Business1
Delete the file named TokenCache.dat if it exists. If you see multiple Business folders, delete the TokenCache.dat file inside each one. - Restart OneDrive
Press the Windows key, type OneDrive, and press Enter. OneDrive will open and prompt you to sign in. Enter your Microsoft 365 work or school account credentials. If your organization uses multi-factor authentication, complete the MFA challenge.
If the Error Persists: Verify Conditional Access Policies
When the error returns after clearing credentials, the cause is likely a Conditional Access policy that blocks OneDrive from refreshing its token. A Microsoft 365 global administrator or user with the Conditional Access Administrator role must check the tenant policies.
- Sign in to the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with an account that has the Global Administrator or Conditional Access Administrator role. - Navigate to Entra ID Conditional Access
In the left navigation, select Show all > Identity > Security > Conditional Access. Alternatively, use the search bar and type Conditional Access. - Review policies that target OneDrive or Office 365
Click Policies and look for any policy that includes Office 365 or OneDrive in the Cloud apps or actions assignment. Check whether the policy requires Device compliance, Multi-factor authentication, or Approved client app. - Verify device compliance status
On the affected device, open Settings > Accounts > Access work or school. Click the connected Microsoft Entra account and select Info. Look for a message that says Device is compliant. If the device is not compliant, contact your IT department to enroll it in Microsoft Intune or another MDM solution. - Test with a policy exclusion
If you are an administrator, temporarily set the policy to Report-only mode to see whether it is blocking OneDrive sign-in. If the error stops, adjust the policy to include OneDrive in the Exclude list or modify the grant controls.
If OneDrive Still Has Issues After the Main Fix
OneDrive 0x8004de40 appears after every Windows update
Windows updates occasionally reset the OneDrive credential state. Run the credential removal steps again after each update. To automate this, create a PowerShell script that runs at startup and deletes the TokenCache.dat file. Deploy the script through Intune or Group Policy.
Error occurs only when using a VPN
Some VPN configurations block the authentication endpoints that OneDrive uses. Verify that your VPN allows traffic to login.microsoftonline.com and all subdomains, graph.microsoft.com, and onedrive.live.com. If your VPN uses split tunneling, add these domains to the allowed list.
OneDrive shows 0x8004de40 after a password reset
A password change invalidates the cached token immediately. Follow the steps in the main fix to remove credentials and unlink OneDrive. Do not skip the TokenCache.dat deletion step, because the file may still contain the old token hash.
Manual Credential Reset vs Unlink and Reconnect: Key Differences
| Item | Manual Credential Reset | Unlink and Reconnect |
|---|---|---|
| Scope | Removes token cache and Windows credentials only | Resets sync relationship and local sync cache |
| Effect on local files | No files are moved or deleted | Files remain in the local OneDrive folder but stop syncing until reconnection |
| When to use | Error occurs immediately after sign-in or after password change | Error persists after credential reset or after a tenant migration |
| Time required | 5 minutes | 10 to 15 minutes, including re-sync of file metadata |
After completing the credential reset and verifying Conditional Access policies, the 0x8004de40 error should no longer appear. The next time you sign in, OneDrive will create a fresh token and store it correctly. If your organization uses Intune, consider deploying the OneDrive Silent account configuration policy to prevent credential corruption in the future. For persistent issues, run the OneDrive diagnostic tool by pressing Windows key + R, typing %localappdata%\Microsoft\OneDrive\OneDrive.exe /reset, and pressing Enter.