OneDrive Business1 regression diagnostic
Some users hit a recurring failure where the OneDrive Business1 registry
record is present but the UserFolder value is
blank. Files won't hydrate because cldflt has no upstream
binding. The most painful variant: the regression returns within 7 days of
a full uninstall+reinstall repair, with no obvious user action between fix
and breakage. Tracked as ADO #583. First captured on a Caron Bletzer host
(2026-06-03).
Signature
HKCU\SOFTWARE\Microsoft\OneDrive\Accounts\Business1\UserEmail: populatedHKCU\SOFTWARE\Microsoft\OneDrive\Accounts\Business1\UserFolder: BLANK ← combined-variant signalHKCU\SOFTWARE\Microsoft\OneDrive\Accounts\Business1\Tenants\<tenant>: zero library entries- Personal OneDrive folder physically present on disk with reparse tag
0x9000701A onedrive.exe /resetdoes NOT clear the state
Automated detection
As of agent v2.4.21+, the OneDrive health monitor reports this as a
distinct signal: od.business1.userfolder-blank
(fail grade). It is mapped to remediation
REM_OD_011_DiagnoseRegression rather than a destructive repair —
the field evidence says no current repair survives, so the first action is
to capture forensic state instead of compounding the problem.
The signal raises a MonitoringFinding with
source=onedrive, resource=Business1 on
<hostname>. Trigger the diagnostic via the standard
MonitoringFindings promote-to-task path; admins get a task with the
detailed diagnostic script as the next-step instruction.
Diagnostic capture
Script:
Runbooks/Remediations/OneDrive/REM_OD_011_DiagnoseRegression.ps1.
Run it as the affected user (preferred) OR via Task Scheduler in
LoadUserProfile mode (so HKCU points at the right hive). Outputs a
structured JSON report covering:
- Bootstrap state: full Business1 + Personal account
contents, the per-tenant library list, and the true
RegQueryInfoKeylast-write timestamp on the Business1 key (via P/Invoke — PowerShell doesn't expose this directly). - Policy sources: HKLM + HKCU
Policies\Microsoft\OneDrivevalues (where Group Policy and Intune ADMX deliver settings). - Group Policy History: any GPO that has touched the
OneDrive CSE GUID
(
f312195e-aa3a-4cbb-b8dd-4af8a1a6f8bf). - Intune CSP state:
HKLM\SOFTWARE\Microsoft\PolicyManager\current\{device|user}\OneDriveNGSC— surfaces the live applied state, including Silent account configuration, KFM, and tenant filters. - OneDrive scheduled tasks: name, state, last/next run, last result.
- cldflt service: status + start type.
- Recent events: last 8 days of OneDrive / cldflt events from System + Application logs.
- ClientPolicy.ini files: filenames, sizes, last-write
timestamps in
%LOCALAPPDATA%\Microsoft\OneDrive\settings\.
Each run writes a snapshot to
%ProgramData%\TATER\onedrive-snapshots\<user>-<ts>.json
(last 30 retained). The agent caller can diff against the previous
snapshot to identify the field that mutated between runs — typically the
strongest signal for "what is rewriting Business1 in the background."
Exit codes
| Code | Meaning |
|---|---|
| 0 | Healthy — Business1 present and UserFolder populated. |
| 2 | User profile not loaded (run as the user OR with LoadUserProfile). |
| 3 | Regression detected — Business1 present, UserFolder blank. |
Investigation checklist
When the regression is captured, work through these in order against the JSON output:
- Business1 last-write timestamp vs. Day-0 repair timestamp. Confirms the record really was rewritten (vs a UserFolder that never populated after a partial repair).
- Group Policy History — any OneDrive-touching GPO that applied in the last 8 days. The CSE GUID is fixed; look for DisplayName / GPOLink fields.
- Intune CSP state — compare
OneDriveNGSCvalues across snapshots. The "Silent account configuration" CSP has historically reset UserFolder when its tenant guidance changes. - Scheduled tasks — OneDrive update / Standalone Update Task / Sign-in helper. Cross-reference LastRunUtc with the Business1 last-write timestamp; the closest preceding task run is the likely culprit.
- RecentEvents — OneDrive event IDs 1, 1000, 7036 (cldflt service start/stop), 1234 (account reset) frame the timeline.
- ClientPolicy.ini files — sometimes the
ClientPolicy.inibound to the missing library is deleted, which explains the "no library" symptom.
What the diagnostic does NOT do
- It does not attempt a repair. Per #583 field evidence, every current repair regresses within 7 days. The point of v1 is to gather data so the underlying cause can be found and fixed BEFORE re-applying repair.
- It does not invoke
onedrive.exe /reset— that's known to be ineffective for this state and triggers EDR noise (#560). - It does not destroy the Business1 record. The
REM_OD_009_UnregisterSyncRootandREM_OD_010_ResetClientremediations remain admin-dispatch + version-gated; this diagnostic is read-only.
Once the cause is known
Add the identified mutation source (GPO name / Intune CSP path /
scheduled-task ARN) to the BUSINESS1_REGRESSION_SOURCES
list in
Agent/go/internal/onedrive/grader.go and ship a Tier 3
remediation that targets it explicitly. The combined-variant signal will
auto-clear on the next agent cycle.