About this tool
OneDrive (local baseline)
Security Baseline Script Assistant

OneDrive Security Baseline Script Assistant

This page explains what the assistant does, who it is for, and how to use the generated PowerShell script safely alongside your own backups, storage policies, and OneDrive hardening plans.

Overview

What this assistant is designed to do

The OneDrive Security Baseline Script Assistant helps you turn a set of OneDrive-related hardening choices into a single, readable PowerShell script. You choose the protections you want, then the tool builds a script that applies safer defaults to local OneDrive working paths, logs, cache folders, and related sync locations on systems you control.

Who it is for

  • People who sync sensitive data with OneDrive and want stronger local defaults.
  • Small teams that keep project folders mirrored to OneDrive from Windows PCs.
  • Admins and homelab builders who prefer plain PowerShell to manage permissions and layouts.

The tool does not log in to your OneDrive account or change cloud settings. It only touches local paths and configuration settings you point it at, using PowerShell and standard Windows utilities.

What the script includes

  • Options to tighten permissions on OneDrive sync folders and working directories.
  • Safer defaults for logs and cache locations where that makes sense for your setup.
  • Clearly marked manual steps for account-level changes like MFA and sign-in alerts.
  • A simple “pre / post” JSON snapshot under %ProgramData%\CyberLifeCoach\Reports\OneDriveBaseline so you can track what was selected on each run.

How profiles work (Relaxed, Strict, Custom)

When you use the main assistant page you can choose Relaxed, Strict, or Custom. Relaxed focuses on safer file system changes that rarely break normal OneDrive syncing. Strict layers on tighter ownership, permission, and logging rules that may affect shared accounts or legacy tooling. Custom lets you hand-pick each control so you can align the script with your own risk tolerance and storage model.

How to use it in a safe workflow

  • Generate the script from the main assistant and save it as onedrive-baseline.ps1.
  • Read through every section, especially anything that changes NTFS permissions, ownership, or local configuration settings.
  • Create a full backup or image of the device and OneDrive data before you change anything.
  • Test on a non-critical system or a small test folder first from an elevated PowerShell window using .\onedrive-baseline.ps1 apply, and review the output carefully.
  • If you need to undo changes that support rollback, run .\onedrive-baseline.ps1 rollback on the same system.
  • After you are comfortable with the effect of each control, decide which pieces belong in your regular backup scripts, scheduled tasks, or config-management tooling.

How the “pre / post” reporting works

Each time you run the script with the apply option, it writes a small JSON file under %ProgramData%\CyberLifeCoach\Reports\OneDriveBaseline. The report records the date, hostname, OS version, selected profile label, and which controls were chosen before and after changes. This gives you a simple local audit trail you can pair with your own backup logs and change notes.

These reports stay on the system where you run the script. They are not transmitted to CyberLife Coach, to Microsoft, or to any third party.

Command basics

The generated script is written in PowerShell and is intended to run from an elevated Windows PowerShell (or PowerShell 7) session on systems where you manage OneDrive-related folders. You can use:

  • .\onedrive-baseline.ps1 apply to record a snapshot and apply your selected controls.
  • .\onedrive-baseline.ps1 rollback to run the rollback block where it exists.

If Windows blocks script execution, you can run the script for a single session by launching PowerShell with PowerShell -ExecutionPolicy Bypass, or by setting a process-scoped policy using Set-ExecutionPolicy -Scope Process Bypass before running the script.

This tool includes a curated subset of DISA STIG controls selected for real world use by home users, entrepreneurs, digital nomads, and small businesses. It is not a full STIG implementation but a practical baseline designed to reduce your attack surface.

Important notice

This assistant and the generated PowerShell script run entirely on your local device. Your selections and output are not sent to CyberLife Coach, to Microsoft, or to any other party. The script is a generic starting point based on common OneDrive hardening ideas and is provided for educational and informational use only. It is not tailored to your specific environment and does not guarantee compliance with any framework or policy, and it carries no warranty or guarantee.

You are responsible for reviewing, testing, and validating every line before use. Always create reliable backups, test in a non-critical environment, and confirm you are authorized to make changes on any systems you manage. Do not apply these settings to employer, school, or centrally managed devices without explicit written approval from the appropriate owner or administrator, and never bypass your organization’s official storage and backup controls.