You use OneDrive for Business file restore to recover files after a ransomware attack, but the restored files are missing the most recent versions you worked on before the attack. This happens because the file restore feature only recovers versions that existed before the ransomware modified or encrypted them, and changes saved just before the attack may fall outside the default version history window. This article explains why recent changes can be lost during a ransomware recovery, provides step-by-step instructions to locate and restore those missing versions, lists related failure patterns and their fixes, and compares recovery methods so you can choose the right approach.
Key Takeaways: Restoring Recent Changes After Ransomware in OneDrive
- OneDrive file restore > Version history > Select date range: The file restore tool only recovers files to a point in time based on available version history, typically up to 30 days for Microsoft 365 Business subscribers.
- Version history panel > Restore a previous version: If file restore misses recent changes, open each file’s version history directly to find and restore the exact version you need.
- OneDrive recycle bin > Second-stage recycle bin: Deleted files from ransomware may still be recoverable from the site collection recycle bin, which holds items for up to 93 days.
Why OneDrive File Restore Misses Recent Changes After Ransomware
The OneDrive for Business file restore feature works by scanning version history for all files in your OneDrive and reverting them to a state before a selected point in time. When ransomware attacks, it often encrypts or renames files rapidly, and the file restore tool can only roll back to versions that existed before the encryption timestamp. If you saved a file minutes before the ransomware hit, that version may still be present in version history, but the restore tool might skip it if the attack corrupted the file metadata or if the restore range you selected does not include that exact moment.
Additionally, the default version history retention for OneDrive for Business is 30 days for users with Microsoft 365 Business Basic, Standard, or Premium licenses. If your organization has set a custom retention policy, the window could be shorter or longer. The file restore tool also cannot recover files that were permanently deleted before the restore operation, nor can it recover changes that were never synced to the cloud because the user was offline when the attack occurred.
Steps to Recover Recent Changes Missed by OneDrive File Restore
Follow these steps in order. If one method does not recover the missing changes, proceed to the next.
Step 1: Check the OneDrive Recycle Bin for Deleted Files
- Open the OneDrive recycle bin
Go tohttps://onedrive.live.comand sign in. In the left navigation pane, select Recycle bin. Look for files that were deleted by the ransomware. Select the files you need and click Restore. - Check the second-stage recycle bin
If the files are not in the recycle bin, click Second-stage recycle bin at the bottom of the recycle bin page. This bin retains deleted items for up to 93 days for SharePoint Online site collections. Select the files and click Restore.
Step 2: Restore Individual File Versions from Version History
- Navigate to the affected file
In OneDrive, browse to the folder that contains the file with missing recent changes. Right-click the file and select Version history. Alternatively, select the file and click the … (ellipsis) menu, then choose Version history. - Locate the most recent version before the attack
The version history panel lists all saved versions with timestamps. Look for the version that was saved just before the ransomware encrypted the file. That version will have a timestamp earlier than the attack time. Click the three dots next to that version and select Restore. Confirm the restoration.
Step 3: Use a Broader Date Range in File Restore
- Open the OneDrive file restore tool
Go tohttps://onedrive.live.com, click the Settings gear icon in the top-right corner, select Options, then click Restore your OneDrive. - Set a custom date range
In the restore dialog, choose Custom date and time. Set the start time to several hours before you suspect the ransomware struck, and the end time to just after the attack. This forces the tool to scan a wider version history. Click Restore. Review the restored files and check if the recent changes are now present.
Step 4: Recover from a Local Backup or Sync Client Cache
- Check the local OneDrive folder
On your Windows device, open File Explorer and navigate to the OneDrive folder. Look for files with a green check mark (synced) or a blue cloud icon (online-only). If the ransomware encrypted local copies, those files will be unusable. However, if you had Files On-Demand enabled and the files were not downloaded locally, the cloud versions may still be intact. - Restore from a previous Windows backup
If you have File History or System Restore enabled, right-click the OneDrive folder, select Restore previous versions, and choose a version from before the attack. This works only if the backup was running before the ransomware hit.
If OneDrive File Restore Still Misses Recent Changes
Files were never synced to the cloud
If the user was working offline when the ransomware hit, the recent changes only exist on the local device. In this case, the file restore tool cannot recover those changes because they were never uploaded. To recover, disconnect the device from the network immediately, then copy the local OneDrive folder to an external drive. Use a ransomware decryption tool if the files are encrypted, or restore from a local backup.
Version history retention has expired
If the recent changes were made more than 30 days ago and your organization has the default retention policy, those versions are permanently deleted. Contact your Microsoft 365 admin to check if the retention policy was extended. If not, the only recovery option is from an external backup or a local copy.
File restore tool shows no versions to restore
This can happen if the ransomware deleted the file entirely and the recycle bin was emptied. In that case, check the second-stage recycle bin. If the file is not there, use the eDiscovery tool in the Microsoft 365 compliance center to search for deleted files. Your admin can perform this search if you do not have permissions.
OneDrive File Restore vs Version History vs Recycle Bin: Key Differences
| Item | OneDrive File Restore | Version History |
|---|---|---|
| Scope | Restores all files in your OneDrive to a point in time | Restores a single file to a specific version |
| Retention | Up to 30 days for Microsoft 365 Business subscribers | Same as file restore retention |
| Recycle Bin | Restores deleted files and folders | Does not restore deleted files |
Use file restore for bulk recovery after ransomware. Use version history when you need a specific recent version that the bulk restore missed. Use the recycle bin when files were deleted entirely.
You can now recover recent changes that OneDrive file restore missed by checking version history for each file, expanding the date range in the restore tool, and using the recycle bin. Next, configure version history retention to 90 days in the Microsoft 365 admin center to give yourself a wider recovery window. An advanced tip: enable Preservation Hold library in SharePoint Online to prevent permanent deletion of files during a ransomware attack.