You used the OneDrive for Business file restore feature after a ransomware attack, but you notice that some files are missing the most recent changes you made before the attack. This is a common problem when the ransomware encrypted newer file versions before OneDrive’s version history captured them. This article explains why recent changes can be missing after a file restore, how to verify what was restored, and how to recover the latest versions that were not included in the restore operation.
Key Takeaways: Recovering Files Missed by OneDrive File Restore
- OneDrive version history: Stores up to 500 major versions per file, but a ransomware attack can corrupt the latest version before the next version is saved.
- File restore time range: You can restore files to any point in the last 30 days, but only versions that existed at that exact time are recovered.
- Check the recycle bin: Deleted or overwritten files that were not part of the restore may still be in the site recycle bin for up to 93 days.
Why OneDrive File Restore Misses Recent Changes After Ransomware
OneDrive for Business file restore works by reverting all files in your OneDrive to a specific point in time within the last 30 days. When you trigger a restore, OneDrive replaces the current state of each file with the version that existed at the selected timestamp. However, ransomware often encrypts files in waves. If the encryption happened minutes before the restore point you selected, the restored version may be the encrypted file itself, not the clean version you expected.
Additionally, OneDrive version history saves a new version only when a file is saved and synced. If the ransomware encrypted the file locally and that encrypted version synced to the cloud before you could act, the most recent clean version may be several saves behind. The file restore feature does not attempt to find the last clean version automatically. It restores exactly what existed at the chosen time. If that time falls after the encryption started, you get the encrypted file.
Another factor is the 30-day restore window. OneDrive for Business retains version history for up to 30 days for files that are not deleted. If the ransomware attack occurred 28 days ago, you can only restore to a point within that window. Changes older than 30 days are not recoverable through file restore alone.
Version History vs File Restore Timeline
Version history stores individual file versions independently. File restore applies a single timestamp to all files in the library. This means that if file A was last saved at 2:00 PM and file B at 2:05 PM, and you restore to 2:03 PM, file A will have its 2:00 PM version but file B will be missing its 2:05 PM version because that version did not exist at the restore point. The file restore process does not merge versions across different timestamps.
Steps to Recover Recent Changes Missed by File Restore
If the file restore operation did not include your most recent changes, follow these steps to locate and recover the missing versions.
- Check the OneDrive recycle bin
Open your OneDrive in a web browser. Select Recycle bin from the left navigation. Look for files that were deleted during the ransomware cleanup. If the files are there, select them and click Restore. Files stay in the recycle bin for 30 days or until emptied. - View version history for individual files
Navigate to the file in OneDrive online. Right-click the file and select Version history. Look for versions saved after the restore point you used. Versions are listed with timestamps. Select a version and click Restore to recover it. This works even if the current file is encrypted. - Use the second-stage recycle bin
If the recycle bin is empty, check the Second-stage recycle bin. This is available to OneDrive for Business admins. Go to the SharePoint admin center, find the user’s OneDrive site, and open Recycle bin. Click Second-stage recycle bin at the bottom. Files deleted from the first recycle bin remain here for up to 93 days total. - Perform a second file restore to an earlier point
If you suspect the restore point was too late, run the file restore again. In OneDrive online, click Settings > Restore your OneDrive. Select a time before the ransomware attack started. Review the list of files that will be changed. Click Restore. This overwrites current files with versions from the earlier point. - Download a previous version directly
If version history shows a clean version but you want to avoid overwriting the current file, open the version history, find the version, click the three dots, and select Download. Save the file locally with a new name. Then upload it to OneDrive.
If OneDrive File Restore Still Misses Recent Changes
Files were saved locally but never synced
If the user worked offline and the files were not synced before the ransomware hit, OneDrive has no version of those changes. Check the local OneDrive folder for any partially synced files. Look for files with a red X or a sync error icon. Use the Sync conflicts folder to find locally saved versions. The sync conflicts folder is typically at C:\Users\[username]\OneDrive\OneDrive - [tenant name]\Sync conflicts.
File restore does not include shared folders
OneDrive file restore only affects files in the user’s own OneDrive. Files stored in shared folders or SharePoint document libraries are not included. For those files, use the SharePoint document library version history or the SharePoint file restore feature. In SharePoint, go to the document library, click Settings > Restore this library, and select a time point.
Version history is missing entries
OneDrive retains up to 500 major versions per file. If the file was saved more than 500 times in the last 30 days, the oldest versions are removed. If the ransomware attack happened after the 500th save, the clean version may have been deleted automatically. In this case, check with the IT admin to see if backup retention policies in Microsoft 365 retention or a third-party backup tool can recover the missing versions.
OneDrive File Restore vs Version History: Key Differences
| Item | File Restore | Version History |
|---|---|---|
| Scope | All files in the user’s OneDrive | Single file at a time |
| Time selection | Any point in the last 30 days | Specific version timestamps |
| Number of versions restored | One version per file at the chosen time | One version selected manually |
| Recovery of deleted files | Yes, if deleted before the restore point | Only if the file still exists in the library |
| Impact on current files | Overwrites all files with older versions | Replaces only the selected file |
| Availability for shared folders | No | Yes, if the user has edit permissions |
After a ransomware attack, always check version history for individual files before running a full file restore. This gives you the most recent clean version without overwriting other files. For files that were not included in the restore, use the recycle bin and the second-stage recycle bin. If you still cannot recover the recent changes, contact your Microsoft 365 admin to check backup policies or third-party backup solutions that may have captured versions outside the 30-day window.