About this baseline tool
Office 365 (Office 2016 / 16.0 policy paths)
Local, in-browser helper

Office 365 Baseline Script Assistant

This page explains what the Office 365 Baseline Script Assistant does, which controls it touches, and how to use the generated PowerShell script safely on Windows systems that run Office 2016 style Microsoft 365 Apps. The assistant builds a single script with Invoke-O365Baseline and Invoke-O365BaselineRollback functions so you can apply and attempt to undo its changes in a controlled way. :contentReference[oaicite:0]{index=0}

⚙️ Open Office 365 Baseline Assistant
Overview

What this assistant is designed to do

The Office 365 Baseline Script Assistant is a local-only helper that builds a PowerShell script for registry based Office hardening. It follows a STIG style approach and focuses on protections that are useful for home users, solo professionals, and small environments.

  • Targets Office 16.0 policy registry paths for Microsoft 365 Apps on Windows.
  • Lets you pick individual controls or start from Relaxed, Strict, or Custom profiles.
  • Builds one script that you can review, version, and run on your own schedule.
  • Includes a companion rollback function that attempts to remove keys the script created.
Macros and VBA safety Legacy IE and ActiveX protections Privacy and connected experiences

Nothing is sent back to CyberLife Coach, to Microsoft, or to any third party. All selection logic and script generation happens in your browser tab.

Quick start

How to use the generated script

The assistant produces a complete script that defines Invoke-O365Baseline and Invoke-O365BaselineRollback. You decide when to run either function.

  • Open the tool, choose Relaxed, Strict, or Custom, then select the controls you want.
  • Select “Generate PowerShell script” and copy or download the output.
  • Save it as a file, for example office365-baseline.ps1.
  • Right click PowerShell, choose “Run as administrator,” then run:
    .\office365-baseline.ps1
  • Apply the controls when you are ready by running:
    Invoke-O365Baseline
  • If you need to undo what this script did for supported keys, run:
    Invoke-O365BaselineRollback

Always test on a non critical machine first and take a snapshot or backup of your configuration before you make changes in a production environment.

Included controls

Which protections this baseline can enforce

The assistant focuses on a concise set of registry based controls that are broadly useful for individuals and small environments. The exact registry blocks are visible inside the generated script so you can adjust, comment, or extend them.

Relaxed profile

  • Blocks macros in Office files from the Internet for Access.
  • Enables VBA macro runtime scanning for all documents so AV has better context.
  • Requires digitally signed macros in Excel by setting vbawarnings = 3.
  • Disables connected experiences that automatically download online content.
  • Disables additional optional connected experiences for better privacy posture.

Relaxed is designed as a sensible baseline for most home users and solo professionals, since it adds meaningful protection while keeping core Office functions usable.

Strict profile

  • Includes everything in Relaxed.
  • Turns on Local Machine Zone lockdown for common Office executables.
  • Enables object caching protection for Office when hosted by IE components.
  • Enables zone elevation protection to reduce silent jumps between zones.
  • Restricts ActiveX installation in Office host contexts.
  • Enforces scripted window security restrictions to reduce spoofing risk.

Strict is aimed at hardened builds where legacy intranet apps and older ActiveX based add-ins are either not used or can be safely retired.

Safe use and boundaries

Before you roll this out widely

  • Confirm that you are allowed to modify Office policy keys on the devices in scope.
  • Export relevant registry branches or take a full system backup before testing.
  • Read through the generated script so every registry path and value makes sense.
  • Check for overlap with existing Group Policy or MDM baselines from your employer.
  • Apply and evaluate on a single, non critical machine before using it anywhere else.

Good next steps

  • Store your adjusted baseline script in version control or a secure admin repository.
  • Document which controls you enabled, why you chose them, and how to reverse them.
  • Revisit this baseline whenever your Office channel, add ins, or browser integrations change.
  • Pair this Office hardening with host baselines such as Windows 11, browser, and firewall tools.

This tool includes a curated subset of DISA STIG controls selected for real world use by home users, entrepreneurs, digital nomads, and small businesses. It is not a full STIG implementation but a practical baseline designed to reduce your attack surface.

Important notice & Legal disclaimer
This assistant and the generated script are provided for educational and informational use only. They do not replace professional advice and they do not guarantee compliance with DISA STIGs, NIST CSF, or any other framework. All logic runs locally in your browser and the output script stays on your system, yet you are fully responsible for how you use it. Always test in a safe environment, verify every line, and make sure you have reliable backups and recovery plans before applying changes. Do not run this baseline on employer or school managed devices without explicit written approval from whoever owns those environments.