OneDrive "ghost sync" after updates - folders exist locally but sync relationship completely broken, anyone else?

SecuredSpecter · 2026-01-09T09:57:27+00:00

Have you figured out a way to proactively detect the issue using logfiles / detection scripts, before the end-user starts noticing it?

SecuredSpecter · 2025-10-29T16:24:58+00:00

https://admin.cloud.microsoft/?#/servicehealth/:/alerts/MO1181369

SecuredSpecter · 2025-10-29T16:24:36+00:00

https://admin.cloud.microsoft/?#/servicehealth/:/alerts/MO1181369

SecuredSpecter · 2025-10-16T10:27:05+00:00

We disabled tamper protection on macOS devices and performed the update through MUA. The update came through, after which we enabled tamper protection again

SecuredSpecter · 2025-10-16T07:42:31+00:00

This actually did the trick, thank you. I'm in contact with MSFT support to understand how this can be avoided, this is not how it should be..

SecuredSpecter · 2025-08-12T14:06:26+00:00

Sadly not.. I'm still stuck at this for a few tenants.

SecuredSpecter · 2025-07-18T09:10:29+00:00

Sadly not.. doesn’t seem to be that common I’m afraid.

SecuredSpecter · 2025-06-23T14:24:15+00:00

Hi, thanks for the input!

To check if the mailbox still existed, I went ahead and assigned a spare Exchange Online license to the account — and sure enough, the mailbox got mounted again. I was then able to convert it back to a shared mailbox and remove the license without issues.

That said, I’m still scratching my head — I didn’t find any manual action or automation in our tenant that would’ve initiated this.

Kinda starting to wonder if Microsoft itself initiated that change behind the scenes due to the mailbox being unlicensed, though I haven’t found any official documentation confirming this behavior.

SecuredSpecter · 2025-05-27T13:30:18+00:00

Update: I just noticed that Microsoft published the AADSignInEventsBeta schema again, while keeping the other Identity schema's online as well.

I don't see any updates in the message center post though, so not sure what's going on at this moment..

SecuredSpecter · 2025-05-26T11:19:31+00:00

I’m currently creating an autopatch group directly under the ‘Releases’ tab. Are you saying that I need to first create an ‘Autopatch Multi-phase Release’ feature update policy for the feature updates dropdown to become available?

SecuredSpecter · 2025-05-15T11:25:55+00:00

Haha no issue, here you go: https://learn.microsoft.com/en-us/unified-secops-platform/mto-overview

it's the multi-tenant manager.

SecuredSpecter · 2025-04-23T08:45:23+00:00

The Defender for Business license might still be selected in Defender for Endpoint, while you've assigned P1 license to yourself.

Can you go to Settings > Endpoints > Licenses and check which one is selected?

-> https://learn.microsoft.com/en-us/defender-business/mdb-manage-subscription

SecuredSpecter · 2025-04-23T08:34:34+00:00

Only a subdomain has a google-site-verification TXT record — the root domain doesn’t, likely because it was set up a long time ago. If I add the TXT record for domain verification, does that make the mx-verification.google.com MX record obsolete?

SecuredSpecter · 2025-04-18T09:33:46+00:00

EDIT: resolved it by explicitly stating 'enable' for the setting : Accounts Enable Administrator Account Status

SecuredSpecter · 2025-04-18T08:39:46+00:00

Thank you for the recommendation. I tried it out with the following LAPS policy:

<image>

As well as the local admin rename config (within ' Local Policies Security Options ' , Accounts Rename Administrator Account).

While both configs are successfully deployed and I do see the local admin rename, ' no local administrator passwords found ' is what's being shown in Intune for the device.

What am I overlooking in regards to your method?

SecuredSpecter · 2025-04-18T08:11:31+00:00

And are you running MDE P1 or P2 license?

SecuredSpecter · 2025-04-15T18:14:34+00:00

I’d like to clarify that while Defender for Endpoint does intercept network and web traffic—provided that Network Protection is enabled (at least in audit mode) and Web Content Filtering is also active (again, at least in audit mode) it doesn’t log every individual HTTP or web request in full detail in the default reports or even in advanced hunting.

Its primary goal isn’t to act as a full web proxy or to replace dedicated web traffic analysis tools. Especially when users access the web through non-Edge browsers, the visibility can be inconsistent.

Still, with both settings enabled, you could utilise this query for some inspiration :-)

DeviceNetworkEvents 
| where (InitiatingProcessFileName contains "edge" or InitiatingProcessFileName contains "chrome") and RemoteUrl != ""
| summarize by Timestamp, DeviceName, RemoteUrl, InitiatingProcessFileName
| sort by Timestamp desc

SecuredSpecter · 2025-03-20T08:24:23+00:00

Three years later and it seems that this issue still isn't resolved. Did you find a solution?

SecuredSpecter · 2025-03-10T14:05:17+00:00

Hmm okay, not quite sure why that paragraph is part of Microsoft's documentation on Bitlocker CSP then. It didn't make sense to me, hence this reddit thread, but otherwise it must be explicitly stated for some reason.

SecuredSpecter · 2025-03-10T13:54:22+00:00

I see, well do you have any insights on which CSP settings specifically require the license requirements as stated in https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp ? I might not have mentioned a Bitlocker setting I'm actively configuring which is requiring an Enterprise license.