Hi,
An important user in my org'n had lost his One Drive Client which wasn't supposed to happen and we're trying to trace possible triggers etc. The last sync for One Drive has been found on 20th Jan and hence its assumed that the removal incident took place around that time As we use SCCM for software deployment initial efforts started with that. I've checked all status message for a specified computer and couldn't find any specific records indicating removal for the relevant date range. Have also checked the SCCM client logs for any uninstall activity in this date range and couldn't find any. Now we don't have direct access to the affected computer but can map drives, map event viewer and run scripts remotely to fetch any information. In the worst case we can indeed obtain remote control of the computer.
Since One Drive client gets installed in local user context (and I requested to be corrected here if different) what are the recommended logs, sources, paths, I could look into on the affected computer to find any information to trace the relevant information for the One Drive client removal?
Further attempts to analyse..
Trying to run the below script remotely on the affected computer.
Get-ChildItem -Path HKLM:Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall | Get-ItemProperty | Sort-Object -Property DisplayName | Select-Object -Property DisplayName, DisplayVersion, InstallLocation, InstallDate | where {$_.DisplayName -eq 'Microsoft OneDrive'}
Also tried to check the below path on the affected user computer but couldn't find any relevant logs for uninstall of One Drive client
C:\Users\UserNam\AppData\Local\Microsoft\OneDrive\setup\logs
Thanks in advance..
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 93%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESV%3C/text%3E%3C/svg%3E)
