OneDrive login issues & AAD broker

Hi all,

We've been kind of stuck here with an issue. We have around 800 devices, mostly laptops, with Windows 10 & Office 2016. 99% is AD-joined, a small test-group running Intune.

We are looking into migrating towards MS 365, specifically OneDrive. We have no issues with upgrading Office 2016 to 365, but when users start OneDrive, it gives errors, specifically:

• When users are logging in with the email address connected to their Windows-account: Proxy verification error, check your proxy configuration and try again [2606], error code 0x8004e4c3.
• When you login with another account (and thus not using the Windows credentials to login) we're stuck on 404 for login.microsoftonline.com. No network connection, check your network settings and try again [2603], error code 0x8004e4c3. Obviously, the site is reachable via a web-browser. We're getting the same error if we try to login into OneDrive with an account from another tenant, personal OneDrive (@outlook.com) works fine.

Some observations: - It happens as well on the same device when someone else logs in (that didn't login in before previously, no userfolder)

• When the laptop is fully re-installed, it works perfectly fine
• It works fine on the small test-group of Intune devices
• When the laptop is connected to another network that isn't our corporate network, it works fine
• Setting up or changing WHfB loads a screen, and then goes away almost instantly (using the PIN still works)

And it all seems to come down to the Microsoft.AAD.BrokerPlugin, changing the name or removing the folder from C:\Windows\SystemApps seems to solve the problem, but since it's needed for modern auth, which will become enforced in the future, it's more of a workaround.

What we've tried: - Re-registering the brokerplugin, no results

• Removing the brokerplugin folder from %localappdata%, no success (issue also occurs with new accounts on the same device)
• Resetting advanced settings in IE
• Checking/unchecking auto-detect proxy settings in IE options
• sfc /scannow
• Reinstalling OneDrive
• IIS Crypto --> best practises

Re-installing 800 devices is not viable for us, anyone here that has any other ideas?

EDIT Two relevant entries in the event viewer:

• Error 0xCAA5001C Token broker operation failed. Operation name: GetTokenSilently, Error: -895025148 (0xcaa70004), Description: The server or proxy was not found.
• Error 0xCAA70004 The server or proxy was not found