Security Baseline Script Assistant
Office 365 (Office 2016/16.0 paths)
Local, in-browser helper

Generate an Office 365 hardening baseline script in a few clicks.

Choose which Office 365 STIG style controls you want to enforce and this assistant will build a PowerShell script that writes the matching registry-based policies for Office 2016/Office 365 ProPlus style installs. Review, test, then run it on Windows systems you manage. No data leaves your browser.

Step 1 ยท Choose your Office 365 controls

Pick the protections you want in your script.

Profiles blend strictness and compatibility. Relaxed focuses on safer macro and privacy controls. Strict turns on the full STIG style baseline, including legacy IE feature protections and ActiveX limits. Custom lets you hand pick each control.

Profiles

Profile cheat sheet

  • Relaxed focuses on macro and privacy controls that rarely break everyday work.
  • Strict includes everything in Relaxed plus aggressive legacy IE and ActiveX protections.
  • Custom keeps your current checkboxes and lets you build a one of a kind mix.

Relaxed selects macro, scanning, and privacy controls that rarely break normal use. Strict adds all legacy IE feature protections and ActiveX restrictions from the STIG.

Tip: For most home and small business environments, Relaxed is a sensible default. Use Strict for hardened builds where legacy ActiveX or embedded IE behaviors are not required.

Step 2 ยท Review, test, then run

Generated Office 365 baseline script

Review every line, test on a non critical machine, then run this from an elevated PowerShell session on Windows devices running Office 2016 style Office (16.0 registry paths). The script focuses on registry based controls and includes a companion rollback function for keys it creates.

How to use: Save the contents to a file such as office365-baseline.ps1, right click PowerShell and choose Run as administrator, then run .\office365-baseline.ps1. Once loaded, apply settings with Invoke-O365Baseline and attempt rollback (for supported keys) with Invoke-O365BaselineRollback.

Scope: This helper targets the Office 16.0 policy paths and common IE feature controls used by Office host processes. Always confirm they match your tenant and deployment model, especially if you are using newer Microsoft 365 Apps channels or additional policy templates.

How to use this assistant safely

Before you run the script

  • Use this only on systems and tenants you are explicitly allowed to manage.
  • Create backups or configuration exports of existing Office policy keys before applying changes.
  • Generate the script and skim every section, especially Strict profile IE/ActiveX controls.
  • Comment out any blocks that conflict with organization wide GPO or MDM baselines.
  • Test on a non critical machine joined to a representative tenant or domain first.

Good next steps

  • Save your adjusted script into version control or a secured admin repository.
  • Document which STIG style rules you enforced and how they map to your policies.
  • Coordinate with your security, compliance, or messaging teams before broad rollout.
  • Revisit this baseline when Office channels, add-ins, or browser integrations change.
Important notice
This assistant runs entirely in your browser. Your selections and the generated script are not sent to CyberLife Coach, to Microsoft, or to any third party. The output is a generic starting point based on registry style interpretations of publicly available Office 2016/Office 365 STIG guidance and is provided for educational and informational use only. It is not a substitute for professional advice and does not guarantee compliance with any standard or policy. Always test in a safe environment, verify every line, and ensure you have reliable backups before making changes. Do not apply these settings to employer or school managed devices without explicit approval and alignment with existing GPO or MDM baselines.
No warranty or guarantees Local only, no data leaves this device