When you restore a OneDrive site after a ransomware attack, you may discover that files restored by the standard file restore feature do not include changes made in the last 30 minutes. This gap can leave critical data unrecoverable. The cause is the restore latency in OneDrive’s version history indexing and the way the restore operation selects restore points. This article explains why the gap occurs, provides a step-by-step admin checklist to close the gap, and describes related failure patterns you must verify after any ransomware recovery.
Key Takeaways: OneDrive File Restore Ransomware Gap Checklist
- OneDrive admin center > Restore OneDrive: Restores files based on the last 30 days of version history but excludes changes made in the final 30-minute window before the restore point was selected.
- SharePoint Online Management Shell > Get-PnPFilesInFolder: Use this cmdlet to compare the restored folder contents against the actual version history and identify files that show no restore action.
- Microsoft 365 Defender > Incident response > File actions: Use the manual version history restore for individual files that the bulk restore missed, especially those modified in the last 30 minutes before the restore.
Why OneDrive File Restore Misses Recent Changes
OneDrive’s file restore feature works by reverting all files in a site to a chosen point in time from the past 30 days. The system uses version history snapshots that are created every few minutes. However, the final snapshot is taken only when you start the restore operation. Any change that occurred between that final snapshot and the actual restore point you select is not captured. This latency can be up to 30 minutes.
The restore operation also does not include files that were deleted and then permanently removed (second-stage recycle bin) before the restore point. If a ransomware attack deleted files and the retention policy already purged them, those files are gone even after a restore.
Another root cause is that the restore feature operates at the site level, not the individual file level. It replaces the entire site content with the version from the restore point. Any file that was created or modified after that restore point is lost unless you manually recover it from version history.
Admin Checklist: Closing the 30-Minute Restore Gap
Use this checklist immediately after a ransomware recovery to identify and restore files that the bulk file restore missed.
- Verify the restore point time
Go to the OneDrive admin center, select the affected user, and click Restore OneDrive. Note the exact date and time of the restore point you selected. This time is the cutoff. Any file change after this time was not included in the restore. - Run a version history audit with PowerShell
Open SharePoint Online Management Shell and connect to your tenant. RunGet-PnPFilesInFolder -FolderSiteRelativeUrl "Documents" -WebUrl "https://yourtenant.sharepoint.com/sites/user"to list all files. Then compare the file versions against the restore point time. Files with a version timestamp later than the restore point and no version history entry before it are the missed files. - Check the second-stage recycle bin
In the user’s OneDrive, go to Recycle bin and then Second-stage recycle bin. Files that were deleted before the restore point and permanently removed by retention policy will not appear. If they are still in the second-stage bin, restore them manually. - Restore missed files from version history
For each file identified in step 2, open the file in the browser, click the file name, select Version history, and choose the version that matches the restore point time. Click Restore to bring that version back. - Enable version history retention policy
In the SharePoint admin center, go to Policies > Access control > Version history. Set the retention period to at least 30 days. This ensures that version history is available for the full restore window. - Run a validation scan
Use a third-party tool or a custom script to compare the total file count and total file size before and after the restore. If the counts do not match, you have missed files that need manual recovery.
If OneDrive File Restore Still Has Issues After the Checklist
Files restored but content is corrupted
If the restored file opens but shows scrambled content or missing data, the ransomware may have encrypted the file before the restore point. In this case, you need to restore an earlier version from version history. Go to the file, click Version history, and select a version from before the attack started. You may need to check multiple versions to find the last clean one.
Restore operation fails with error code 0x80070057
This error occurs when the restore point is too far in the past or the site has more than 100,000 items. Reduce the restore window to 7 days or split the site into smaller libraries. Then retry the restore.
Files in shared folders are not restored
OneDrive file restore only affects the user’s own library. Files that were shared from another user’s OneDrive remain untouched. You must run the restore on each affected user’s OneDrive individually. For shared folders that are part of a SharePoint team site, restore the site library from the SharePoint admin center.
Bulk File Restore vs Manual Version History Restore: Key Differences
| Item | Bulk File Restore | Manual Version History Restore |
|---|---|---|
| Scope | Entire OneDrive site | Single file only |
| Time gap | Up to 30 minutes of recent changes missed | No gap if version history is available |
| Recovery of deleted files | Only files in recycle bin at restore point | Can restore any version, including deleted versions |
| Speed | Minutes for up to 100,000 items | Seconds per file |
| Admin requirement | Global admin or SharePoint admin | Site owner or user with edit permissions |
Use bulk restore first to revert the majority of files. Then use manual version history restore for the files that fall into the 30-minute gap or that were permanently deleted before the restore point.
After completing this checklist, you have closed the gap between the bulk restore and the actual file changes. The next step is to enable OneDrive ransomware detection alerts in the Microsoft 365 Defender portal so you receive notifications within minutes of suspicious activity. As an advanced tip, configure a retention label that automatically preserves version history for 90 days on all OneDrive files to extend the recovery window beyond the default 30-day limit.