Recovering from Crypto- or Ransomware attacks with the OneDrive for Business Admin Tool

  • Article

Recently, I had a requirement come up to enable the bulk restore of content from a OneDrive for Business site in the event of a cryptoware or ransomware attack.  OneDrive has versioning turned on, so I figured this would be an "easy" add.  As with most of my initial thoughts on how long something should take (see "IT time"), it turned out to be a little more complicated than I originally thought.

However, I felt that this tool could really be of benefit to organizations planning their migrations to OneDrive for Business who were concerned with the ability to recover from a malware attack that compromised user files.

I decided to add this functionality to my existing OneDrive for Business Admin Tool, since I already had a lot of the foundational code in place to enumerate and manipulate OneDrive sites.  A user self-service restore mechanism was recently announced at Ignite, which you can read about here.

This version of the tool has several restore capabilities, that I've outlined below:

  • Restore Versions by Date
  • Restore Versions using the most recent previous saved version
  • Restore Versions by going back "n" number of versions

In order to successfully restore versions for a user's OneDrive, you will need to be granted access to their site, which you can do by running the following command:

 .\OneDriveForBusinessAdmin.ps1 -Credential (Get-Credential) -GrantPermissions -Identity <onedriveuser@domain.com>

To restore the files in a user's library by date, using a modified date of 4 days ago:

 .\OneDriveForBusinessAdmin.ps1 -Credential (Get-Credential) -RestoreVersions ByDate -FilesModifiedOnThisDate ((Get-Date).AddDays(-4)) -Identity <onedriveuser@domain.com> -Tenant <tenant>

This will enumerate the user's OneDrive for Business library, find files with versions matching the modified date, and restore the second most recent version on that date (since restoring the most "recent" version on an "infected" date would more than likely restore the infected file again).

To restore the files in a user's library by just selecting the most recent previous version:

 .\OneDriveForBusinessAdmin.ps1 -Credential (Get-Credential) -RestoreVersions ByNumberOfVersionsToGoBack -Identity <onedriveuser@domain.com> -Tenant <tenant>

And, to restore the files in a user's library by specifying a number of versions to go back (keep in mind that the current version "counts" as a version)

 .\OneDriveForBusinessAdmin.ps1 -Credential (Get-Credential) -RestoreVersions ByNumberOfVersionsToGoBack -Identity <onedriveuser@domain.com> -Tenant <tenant> -VersionsToGoBack 4

You can find the updated version of the OneDrive for Business Admin tool on the TechNet Gallery.  I look forward to your comments and suggestions!