L1 BIO 16.01 ISO A.12.4.1 CIS 18.9.19.2

Retention Onedrive

πŸ“… 2025-10-30
β€’
⏱️ 2 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Deze security regelen waarborgt de correcte configuratie van beveiligingsinstellingen op Windows endpoints.

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
7/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Windows

Deze instelling is onderdeel van de Windows security baseline en beschermt tegen bekende aanvalsvectoren door het afdwingen van veilige configuraties.

PowerShell Modules Vereist
Primary API: Graph
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Dit regelen configureert retention onedrive via Microsoft Intune apparaat configuratie beleid of compliance policies om Windows endpoints te beveiligen volgens security best practices.

Vereisten

m365

Implementatie

Gebruik PowerShell-script retention-onedrive.ps1 (functie Invoke-Monitoring) – Monitoren.

monitoring

Gebruik PowerShell-script retention-onedrive.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script retention-onedrive.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance en Auditing

Beleid documentatie

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Retention Policy OneDrive 7 Jaar .DESCRIPTION Retention policy voor OneDrive for Business moet configured worden met 7-jaar retention voor persoonlijke document opslag en compliance. .NOTES Filename: retention-onedrive.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 2.0 Related JSON: content/m365/data-lifecycle-management/retention-onedrive.json #> #Requires -Version 5.1 #Requires -Modules ExchangeOnlineManagement [CmdletBinding()] param( [Parameter()][switch]$Monitoring, [Parameter()][switch]$Remediation, [Parameter()][switch]$Revert, [Parameter()][switch]$WhatIf ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Retention Policy OneDrive 7 Jaar" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan $script:RetentionDays = 2555 $script:RetentionYears = 7 function Invoke-Monitoring { try { Write-Host "Monitoring:" -ForegroundColor Yellow Connect-IPPSSession -ShowBanner:$false -ErrorAction Stop $policies = Get-RetentionCompliancePolicy -ErrorAction Stop | Where-Object { $_.OneDriveLocation -ne $null -and $_.OneDriveLocation.Count -gt 0 } $result = @{isCompliant = $false; totalPolicies = $policies.Count; compliantPolicies = 0 } if ($policies.Count -eq 0) { Write-Host " No OneDrive retention policies" -ForegroundColor Red } else { foreach ($policy in $policies) { $rules = Get-RetentionComplianceRule -Policy $policy.Name -ErrorAction SilentlyContinue $maxDays = 0 foreach ($rule in $rules) { if ($rule.RetentionDuration) { $days = [int]$rule.RetentionDuration if ($days -gt $maxDays) { $maxDays = $days } if ($days -ge $script:RetentionDays -and $policy.Enabled) { $result.compliantPolicies++ $result.isCompliant = $true } } } Write-Host " Policy: $($policy.Name) - $maxDays days" -ForegroundColor $(if ($maxDays -ge $script:RetentionDays) { "Green" }else { "Yellow" }) } } Write-Host "`n Total: $($result.totalPolicies) | Compliant: $($result.compliantPolicies)" -ForegroundColor Cyan if ($result.isCompliant) { Write-Host "`nCOMPLIANT" -ForegroundColor Green; exit 0 } else { Write-Host "`nNON-COMPLIANT" -ForegroundColor Red; exit 1 } } catch { Write-Host "ERROR: $_" -ForegroundColor Red; exit 2 } } function Invoke-Remediation { try { Write-Host "Remediation:" -ForegroundColor Yellow Connect-IPPSSession -ShowBanner:$false -ErrorAction Stop $policyName = "OneDrive $script:RetentionYears Year Retention" $policy = New-RetentionCompliancePolicy ` -Name $policyName ` -Comment "Nederlandse Baseline - $script:RetentionYears year OneDrive retention" ` -OneDriveLocation All ` -Enabled $true -ErrorAction Stop $rule = New-RetentionComplianceRule ` -Name "$policyName - Rule" ` -Policy $policyName ` -RetentionDuration $script:RetentionDays ` -RetentionComplianceAction Keep -ErrorAction Stop Write-Host " Policy created" -ForegroundColor Green exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red; exit 2 } } function Invoke-Revert { try { Connect-IPPSSession -ShowBanner:$false -ErrorAction Stop $policyName = "OneDrive $script:RetentionYears Year Retention" $policy = Get-RetentionCompliancePolicy -Identity $policyName -ErrorAction SilentlyContinue if ($policy) { Remove-RetentionCompliancePolicy -Identity $policyName -Confirm:$false -ErrorAction Stop Write-Host " Policy removed" -ForegroundColor Yellow } exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red; exit 2 } } try { if ($Revert) { Invoke-Revert } elseif ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring | -Remediation | -Revert" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan }

Risico zonder implementatie

Risico zonder implementatie
High: No auth tracking.

Management Samenvatting

Schakel in audit logging.