If you use a VPN at work and recently reset your Microsoft 365 password, you might see error code 0x8004de40 when trying to sign in to OneDrive. This error means OneDrive cannot authenticate your credentials because the cached token on your device no longer matches the new password. The VPN connection often delays or blocks the communication needed to refresh the token. This article explains why the error happens specifically after a password reset on VPN networks and provides four tested fixes to restore OneDrive sync.
Key Takeaways: Fixing OneDrive Error 0x8004de40 After Password Reset on VPN
- Clear cached credentials in Windows Credential Manager: Removes the old token so OneDrive must request a new one with your updated password.
- Reset OneDrive sync by running the reset command: Run
onedrive.exe /resetfrom the Run dialog to clear corrupt cache files without deleting local data. - Disconnect and reconnect VPN after password change: Forces the network stack to reauthenticate with the new credentials before OneDrive tries to connect.
Why Error 0x8004de40 Appears After a Password Reset on a VPN
Error 0x8004de40 is a Microsoft Entra ID authentication failure. When you change your Microsoft 365 password, the authentication token cached on your local machine becomes invalid. OneDrive tries to use that old token to sign in, the server rejects it, and the sync engine stops with error 0x8004de40.
A VPN connection makes this worse in two ways. First, the VPN may route authentication traffic through a slower or restricted path, delaying the token refresh request. Second, some VPN configurations cache DNS or proxy settings that point to old authentication endpoints. When OneDrive cannot reach the token endpoint quickly enough, it fails silently and shows the 0x8004de40 error instead of prompting you for new credentials.
Token cache and credential manager interaction
Windows stores your Microsoft 365 credentials in the Credential Manager under Windows Credentials. When you reset your password, the stored credential still contains the old password hash. OneDrive reads this hash, sends it to Microsoft Entra ID, and receives a rejection. The error code 0x8004de40 is the client-side representation of that rejection. The VPN does not cause the error directly, but it delays the fallback behavior that would normally trigger a new sign-in prompt.
Steps to Fix the 0x8004de40 Sign-In Error for VPN Users
Perform these steps in the order shown. After each step, test OneDrive sync by opening the OneDrive icon in the system tray and looking for a green check mark. If the error persists, move to the next step.
Method 1: Clear Stored Credentials in Windows Credential Manager
- Open Credential Manager
Press Windows key + R, typecontrol /name Microsoft.CredentialManager, and press Enter. - Select Windows Credentials
Click the Windows Credentials tab at the top of the window. - Remove all OneDrive and Microsoft Office entries
Scroll to the Generic Credentials section. Look for entries that contain OneDrive, MicrosoftOffice, or Microsoft ADAL. Click the arrow to expand each entry, then click Remove. Confirm the removal when prompted. - Restart OneDrive
Right-click the OneDrive cloud icon in the system tray and select Close OneDrive. Open OneDrive again from the Start menu. You will be prompted to sign in with your new password.
Method 2: Reset OneDrive Sync
- Open the Run dialog
Press Windows key + R. - Run the reset command
Typeonedrive.exe /resetand press Enter. A command prompt window flashes briefly. This does not delete your local files. - Wait for OneDrive to restart
After a few seconds, OneDrive should open automatically. If it does not, open OneDrive from the Start menu. You will see the Welcome screen. Sign in with your new password.
Method 3: Disconnect and Reconnect the VPN
- Disconnect from the VPN
Open your VPN client and click Disconnect. If you use Windows built-in VPN, go to Settings > Network & internet > VPN and click Disconnect. - Clear DNS cache
Open Command Prompt as Administrator. Typeipconfig /flushdnsand press Enter. Typeipconfig /releaseand press Enter. Then typeipconfig /renewand press Enter. - Reconnect to the VPN
Open your VPN client again and connect. Wait for the connection to establish fully. - Sign in to OneDrive again
Right-click the OneDrive icon and select Sign in. Enter your new password.
Method 4: Re-register the Device in Microsoft Entra ID
- Open Settings
Press Windows key + I. Go to Accounts > Access work or school. - Disconnect the work or school account
Click the connected account under Microsoft Entra ID. Click Disconnect. Confirm the prompt. - Reconnect the account
Click Connect and sign in with your new password. This re-registers the device with the updated token. - Restart OneDrive
Close OneDrive from the system tray and reopen it. Sign in again.
If OneDrive Still Shows Error 0x8004de40 After These Fixes
OneDrive error persists after clearing credentials and resetting sync
If the error remains, the VPN may be blocking the specific ports or URLs used by Microsoft Entra ID. Check with your IT department whether the VPN allows traffic to login.microsoftonline.com and msftauth.net and all subdomains. Ask them to verify that TCP ports 443 and 80 are open for outbound traffic to these endpoints. You can test connectivity by running Test-NetConnection login.microsoftonline.com -Port 443 in PowerShell.
OneDrive sign-in works without VPN but fails with VPN connected
This indicates a VPN-specific issue. Some VPN clients use a split-tunnel configuration that does not route Microsoft 365 traffic through the VPN. If your organization uses a full-tunnel VPN, all traffic goes through the VPN, and any proxy or firewall rules on the VPN server can block the token refresh. Ask your IT team to add the Microsoft 365 endpoints to the VPN bypass list or switch to a split-tunnel configuration for Office traffic.
Error 0x8004de40 returns after a few hours even after successful sign-in
This happens when the token refresh interval is shorter than the VPN session timeout. The token expires, OneDrive tries to refresh it over the VPN, and the VPN connection has already timed out or changed IP address. Set your VPN client to stay connected indefinitely or configure the token lifetime in Microsoft Entra ID by working with your tenant administrator. You can also schedule a daily restart of the OneDrive sync engine using Task Scheduler.
OneDrive Sync Modes: Cached Credentials vs Token Refresh for VPN Users
| Item | Cached Credentials | Token Refresh |
|---|---|---|
| Description | Stores password hash locally in Windows Credential Manager | Requests a new access token from Microsoft Entra ID on each sync interval |
| When used | Initial sign-in and when VPN is unavailable | During normal sync operations and after password change |
| VPN impact | VPN can block the server response, causing stale credentials to be used | VPN can delay or block token endpoint communication, causing timeout |
| Error 0x8004de40 trigger | Old password hash is sent after password reset | Token refresh fails because VPN blocks the endpoint |
| Fix method | Clear credentials in Credential Manager | Flush DNS, reconnect VPN, or re-register device |
The table shows that error 0x8004de40 can originate from two different authentication stages. Clearing cached credentials addresses the first cause. Reconnecting the VPN and re-registering the device addresses the second. Apply both fixes when the error appears after a password reset.
You can now resolve the 0x8004de40 error by clearing stored credentials, resetting OneDrive sync, and reconnecting your VPN in the correct order. If the problem recurs, ask your IT team to verify that VPN routing allows traffic to login.microsoftonline.com and msftauth.net and all subdomains. For persistent cases, use the Credential Manager method first, because it directly removes the invalid token that causes the error.