From 81faf4e9cb0c4e07dd1f56b63cb02320550bcbee Mon Sep 17 00:00:00 2001
From: Jake Stenger <myselfjake@gmail.com>
Date: Wed, 22 Oct 2025 14:07:33 -0700
Subject: [PATCH] =?UTF-8?q?organize=20files=20into=20platform,=20function?=
 =?UTF-8?q?=20folders.=20Standardize=20filenames=E2=80=A6=20(#34659)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

… for easier readibility. Standardize on 2-space indentation.
---
 ...llment - [AllowManualMDMUnenrollment].xml} |   2 +-
 ...ount lock out - [AccountLockoutPolicy].xml |  11 ++
 ...lections - [AllowSpotlightCollection].xml} |   0
 ...counts_EnableAdministratorAccountStatus].xml |  12 ++
 ...ization - [AllowInputPersonalization].xml} |   1 -
 ... assistance - [AllowRemoteAssistance].xml} |   0
 ...e simple TCPIP services – [SimpleTcp].xml} |   0
 ...nder SmartScreen - [EnableSmartScreen].xml |  12 ++
 ...serFromShowingAccountDetailsOnSignin].xml} |   2 +-
 ...kta attestation certificate - [Bundle].xml | 103 ++++++++++++++++++
 ...evation - [ConsentPromptBehaviorAdmin].xml |  12 ++
 ...etworkAccess_RestrictAnonymousAccess].xml} |   1 -
 ...n max) - [MaxInactivityTimeDeviceLock].xml |  11 ++
 .../windows-fleet-hardening.policies.yml      |   0
 .../scripts/disable-insider-ui-page.ps1       |   0
 ...allow local Fleet osquery modification.ps1 |  28 +++++
 ...ace period – [ScreenSaverGracePeriod].ps1} |   0
 docs/solutions/account-lock-out.xml           |  11 --
 .../crowdstrike-full-disk-access.mobileconfig |   0
 .../crowdstrike-notification.mobileconfig     |   0
 ...rowdstrike-service-management.mobileconfig |   0
 .../crowdstrike-system-extension.mobileconfig |   0
 .../crowdstrike-web-filter.mobileconfig       |   0
 .../scripts/windows-fleet-hardening.ps1       |  27 -----
 .../defender-smartscreen-service-enabled.xml  |  12 --
 .../okta-attestation-cert.xml                 | 103 ------------------
 .../uac-prompt-for-elevation.xml              |  12 --
 ...rityoptions-disable-adminaccountstatus.xml |  12 --
 28 files changed, 191 insertions(+), 181 deletions(-)
 rename docs/solutions/{configuration-profiles/BlockMDMUnenrollment.xml => Windows/configuration-profiles/Disallow manual MDM unenrollment - [AllowManualMDMUnenrollment].xml} (96%)
 create mode 100644 docs/solutions/Windows/configuration-profiles/account lock out - [AccountLockoutPolicy].xml
 rename docs/solutions/{windows/configuration-profiles/allow-spotlight-collections.xml => Windows/configuration-profiles/allow Windows Spotlight collections - [AllowSpotlightCollection].xml} (100%)
 create mode 100644 docs/solutions/Windows/configuration-profiles/disable built-in Administrator account – [Accounts_EnableAdministratorAccountStatus].xml
 rename docs/solutions/{windows/configuration-profiles/windows-device-privacy-speechrecognition-disabled.xml => Windows/configuration-profiles/disable online speech recognition and personalization - [AllowInputPersonalization].xml} (99%)
 rename docs/solutions/{windows/configuration-profiles/windows-device-remoteassistance-disabled.xml => Windows/configuration-profiles/disable remote assistance - [AllowRemoteAssistance].xml} (100%)
 rename docs/solutions/{windows/configuration-profiles/windows-device-systemservices-simptcp-disabled.xml => Windows/configuration-profiles/disable simple TCPIP services – [SimpleTcp].xml} (100%)
 create mode 100644 docs/solutions/Windows/configuration-profiles/enable Microsoft Defender SmartScreen - [EnableSmartScreen].xml
 rename docs/solutions/{windows/configuration-profiles/block-user-from-showing-account-details-on-sign-in.xml => Windows/configuration-profiles/hide account details on sign in - [BlockUserFromShowingAccountDetailsOnSignin].xml} (91%)
 create mode 100644 docs/solutions/Windows/configuration-profiles/install Okta attestation certificate - [Bundle].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/require admin consent before UAC elevation - [ConsentPromptBehaviorAdmin].xml
 rename docs/solutions/{windows/configuration-profiles/windows-device-networkaccess-everyonepermissions.xml => Windows/configuration-profiles/restrict Everyone permissions in network access - [NetworkAccess_RestrictAnonymousAccess].xml} (99%)
 create mode 100644 docs/solutions/Windows/configuration-profiles/set maximum device lock timeout (10 min max) - [MaxInactivityTimeDeviceLock].xml
 rename docs/solutions/{ => Windows}/policies/windows-fleet-hardening.policies.yml (100%)
 rename docs/solutions/{windows => Windows}/scripts/disable-insider-ui-page.ps1 (100%)
 create mode 100644 docs/solutions/Windows/scripts/disallow local Fleet osquery modification.ps1
 rename docs/solutions/{windows/scripts/Set_ScreenSaverGracePeriod.ps1 => Windows/scripts/set screen saver grace period – [ScreenSaverGracePeriod].ps1} (100%)
 delete mode 100644 docs/solutions/account-lock-out.xml
 rename docs/solutions/{ => macOS}/configuration-profiles/crowdstrike-full-disk-access.mobileconfig (100%)
 rename docs/solutions/{ => macOS}/configuration-profiles/crowdstrike-notification.mobileconfig (100%)
 rename docs/solutions/{ => macOS}/configuration-profiles/crowdstrike-service-management.mobileconfig (100%)
 rename docs/solutions/{ => macOS}/configuration-profiles/crowdstrike-system-extension.mobileconfig (100%)
 rename docs/solutions/{ => macOS}/configuration-profiles/crowdstrike-web-filter.mobileconfig (100%)
 delete mode 100644 docs/solutions/scripts/windows-fleet-hardening.ps1
 delete mode 100644 docs/solutions/windows/configuration-profiles/defender-smartscreen-service-enabled.xml
 delete mode 100644 docs/solutions/windows/configuration-profiles/okta-attestation-cert.xml
 delete mode 100644 docs/solutions/windows/configuration-profiles/uac-prompt-for-elevation.xml
 delete mode 100644 docs/solutions/windows/configuration-profiles/windows-localpoliciessecurityoptions-disable-adminaccountstatus.xml

diff --git a/docs/solutions/configuration-profiles/BlockMDMUnenrollment.xml b/docs/solutions/Windows/configuration-profiles/Disallow manual MDM unenrollment - [AllowManualMDMUnenrollment].xml
similarity index 96%
rename from docs/solutions/configuration-profiles/BlockMDMUnenrollment.xml
rename to docs/solutions/Windows/configuration-profiles/Disallow manual MDM unenrollment - [AllowManualMDMUnenrollment].xml
index acd5994f64..0c4374576b 100644
--- a/docs/solutions/configuration-profiles/BlockMDMUnenrollment.xml
+++ b/docs/solutions/Windows/configuration-profiles/Disallow manual MDM unenrollment - [AllowManualMDMUnenrollment].xml	
@@ -10,4 +10,4 @@
     </Meta>
     <Data>0</Data>
   </Item>
-</Replace>
\ No newline at end of file
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/account lock out - [AccountLockoutPolicy].xml b/docs/solutions/Windows/configuration-profiles/account lock out - [AccountLockoutPolicy].xml
new file mode 100644
index 0000000000..f103bde8a7
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/account lock out - [AccountLockoutPolicy].xml	
@@ -0,0 +1,11 @@
+<Add>
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceLock/AccountLockoutPolicy</LocURI>
+    </Target>
+    <Data>AccountLockoutDuration:30, AccountLockoutThreshold:10, ResetAccountLockoutCounterAfter:3</Data>
+  </Item>
+</Add>
diff --git a/docs/solutions/windows/configuration-profiles/allow-spotlight-collections.xml b/docs/solutions/Windows/configuration-profiles/allow Windows Spotlight collections - [AllowSpotlightCollection].xml
similarity index 100%
rename from docs/solutions/windows/configuration-profiles/allow-spotlight-collections.xml
rename to docs/solutions/Windows/configuration-profiles/allow Windows Spotlight collections - [AllowSpotlightCollection].xml
diff --git a/docs/solutions/Windows/configuration-profiles/disable built-in Administrator account – [Accounts_EnableAdministratorAccountStatus].xml b/docs/solutions/Windows/configuration-profiles/disable built-in Administrator account – [Accounts_EnableAdministratorAccountStatus].xml
new file mode 100644
index 0000000000..70563197ba
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/disable built-in Administrator account – [Accounts_EnableAdministratorAccountStatus].xml	
@@ -0,0 +1,12 @@
+<Replace>
+  <CmdID>1</CmdID>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>0</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/windows/configuration-profiles/windows-device-privacy-speechrecognition-disabled.xml b/docs/solutions/Windows/configuration-profiles/disable online speech recognition and personalization - [AllowInputPersonalization].xml
similarity index 99%
rename from docs/solutions/windows/configuration-profiles/windows-device-privacy-speechrecognition-disabled.xml
rename to docs/solutions/Windows/configuration-profiles/disable online speech recognition and personalization - [AllowInputPersonalization].xml
index 86afe426ed..f68b4a8853 100644
--- a/docs/solutions/windows/configuration-profiles/windows-device-privacy-speechrecognition-disabled.xml
+++ b/docs/solutions/Windows/configuration-profiles/disable online speech recognition and personalization - [AllowInputPersonalization].xml	
@@ -9,4 +9,3 @@
     <Data>0</Data>
   </Item>
 </Replace>
-
diff --git a/docs/solutions/windows/configuration-profiles/windows-device-remoteassistance-disabled.xml b/docs/solutions/Windows/configuration-profiles/disable remote assistance - [AllowRemoteAssistance].xml
similarity index 100%
rename from docs/solutions/windows/configuration-profiles/windows-device-remoteassistance-disabled.xml
rename to docs/solutions/Windows/configuration-profiles/disable remote assistance - [AllowRemoteAssistance].xml
diff --git a/docs/solutions/windows/configuration-profiles/windows-device-systemservices-simptcp-disabled.xml b/docs/solutions/Windows/configuration-profiles/disable simple TCPIP services – [SimpleTcp].xml
similarity index 100%
rename from docs/solutions/windows/configuration-profiles/windows-device-systemservices-simptcp-disabled.xml
rename to docs/solutions/Windows/configuration-profiles/disable simple TCPIP services – [SimpleTcp].xml
diff --git a/docs/solutions/Windows/configuration-profiles/enable Microsoft Defender SmartScreen - [EnableSmartScreen].xml b/docs/solutions/Windows/configuration-profiles/enable Microsoft Defender SmartScreen - [EnableSmartScreen].xml
new file mode 100644
index 0000000000..018190b1a7
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/enable Microsoft Defender SmartScreen - [EnableSmartScreen].xml	
@@ -0,0 +1,12 @@
+<Replace>
+  <!-- Service Enabled key, 1 = enabled -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled</LocURI>
+    </Target>
+    <Data>1</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/windows/configuration-profiles/block-user-from-showing-account-details-on-sign-in.xml b/docs/solutions/Windows/configuration-profiles/hide account details on sign in - [BlockUserFromShowingAccountDetailsOnSignin].xml
similarity index 91%
rename from docs/solutions/windows/configuration-profiles/block-user-from-showing-account-details-on-sign-in.xml
rename to docs/solutions/Windows/configuration-profiles/hide account details on sign in - [BlockUserFromShowingAccountDetailsOnSignin].xml
index d5ec2c610f..ee0aa85714 100644
--- a/docs/solutions/windows/configuration-profiles/block-user-from-showing-account-details-on-sign-in.xml
+++ b/docs/solutions/Windows/configuration-profiles/hide account details on sign in - [BlockUserFromShowingAccountDetailsOnSignin].xml	
@@ -9,7 +9,7 @@
       <LocURI>./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin</LocURI>
     </Target>
     <Data>
-    <![CDATA[<enabled/>]]>
+      <![CDATA[<enabled/>]]>
     </Data>
   </Item>
 </Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/install Okta attestation certificate - [Bundle].xml b/docs/solutions/Windows/configuration-profiles/install Okta attestation certificate - [Bundle].xml
new file mode 100644
index 0000000000..eadc58d7df
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/install Okta attestation certificate - [Bundle].xml	
@@ -0,0 +1,103 @@
+<Replace>
+  <!-- Set Node here -->
+  <CmdID>1</CmdID>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">node</Format>
+    </Meta>
+  </Item>
+</Replace>
+<Add>
+  <!-- SCEP URL -->
+  <CmdID>2</CmdID>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/ServerURL</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>yourUrlHere</Data>
+  </Item>
+</Add>
+<!-- SCEP Challenge -->
+<Add>
+  <CmdID>3</CmdID>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/Challenge</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>yourChallengeHere</Data>
+  </Item>
+</Add>
+<!-- CN - check Okta doc for required values (https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/devices-client-certificates-faqs.htm) -->
+<Add>
+  <CmdID>4</CmdID>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/SubjectName</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>$FLEET_VAR_HOST_UUID </Data>
+  </Item>
+</Add>
+<!-- Key Length -->
+<Add>
+  <CmdID>5</CmdID>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/KeyLength</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>2048</Data>
+  </Item>
+</Add>
+<!-- Hash Algorithm -->
+<Add>
+  <CmdID>6</CmdID>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/HashAlgorithm</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>SHA256</Data>
+  </Item>
+</Add>
+<!-- Key Usage -->
+<Add>
+  <CmdID>7</CmdID>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/KeyUsage</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>160</Data>
+  </Item>
+</Add>
+<!-- Extended Key Usage -->
+<Add>
+  <CmdID>8</CmdID>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/EKUMapping</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>1.3.6.1.5.5.7.3.2</Data>
+  </Item>
+</Add>
diff --git a/docs/solutions/Windows/configuration-profiles/require admin consent before UAC elevation - [ConsentPromptBehaviorAdmin].xml b/docs/solutions/Windows/configuration-profiles/require admin consent before UAC elevation - [ConsentPromptBehaviorAdmin].xml
new file mode 100644
index 0000000000..48b576915e
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/require admin consent before UAC elevation - [ConsentPromptBehaviorAdmin].xml	
@@ -0,0 +1,12 @@
+<Replace>
+  <!-- User Account Control key, 1 = enabled -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation</LocURI>
+    </Target>
+    <Data>1</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/windows/configuration-profiles/windows-device-networkaccess-everyonepermissions.xml b/docs/solutions/Windows/configuration-profiles/restrict Everyone permissions in network access - [NetworkAccess_RestrictAnonymousAccess].xml
similarity index 99%
rename from docs/solutions/windows/configuration-profiles/windows-device-networkaccess-everyonepermissions.xml
rename to docs/solutions/Windows/configuration-profiles/restrict Everyone permissions in network access - [NetworkAccess_RestrictAnonymousAccess].xml
index 83aa820dc1..f53b77dc9a 100644
--- a/docs/solutions/windows/configuration-profiles/windows-device-networkaccess-everyonepermissions.xml
+++ b/docs/solutions/Windows/configuration-profiles/restrict Everyone permissions in network access - [NetworkAccess_RestrictAnonymousAccess].xml	
@@ -10,4 +10,3 @@
     <Data>0</Data>
   </Item>
 </Replace>
-
diff --git a/docs/solutions/Windows/configuration-profiles/set maximum device lock timeout (10 min max) - [MaxInactivityTimeDeviceLock].xml b/docs/solutions/Windows/configuration-profiles/set maximum device lock timeout (10 min max) - [MaxInactivityTimeDeviceLock].xml
new file mode 100644
index 0000000000..bb8bb078ba
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/set maximum device lock timeout (10 min max) - [MaxInactivityTimeDeviceLock].xml	
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLock</LocURI>
+    </Target>
+    <Data>10</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/policies/windows-fleet-hardening.policies.yml b/docs/solutions/Windows/policies/windows-fleet-hardening.policies.yml
similarity index 100%
rename from docs/solutions/policies/windows-fleet-hardening.policies.yml
rename to docs/solutions/Windows/policies/windows-fleet-hardening.policies.yml
diff --git a/docs/solutions/windows/scripts/disable-insider-ui-page.ps1 b/docs/solutions/Windows/scripts/disable-insider-ui-page.ps1
similarity index 100%
rename from docs/solutions/windows/scripts/disable-insider-ui-page.ps1
rename to docs/solutions/Windows/scripts/disable-insider-ui-page.ps1
diff --git a/docs/solutions/Windows/scripts/disallow local Fleet osquery modification.ps1 b/docs/solutions/Windows/scripts/disallow local Fleet osquery modification.ps1
new file mode 100644
index 0000000000..27cc5045c3
--- /dev/null
+++ b/docs/solutions/Windows/scripts/disallow local Fleet osquery modification.ps1	
@@ -0,0 +1,28 @@
+# Prevents uninstall/change of Fleet osquery via Windows UI.
+# Sets NoRemove and NoModify = 1 under Fleet osquery uninstall entry.
+# Hides uninstall/change options across Control Panel and Settings > Apps.
+# Works on all Windows editions.
+
+$UninstallPaths = @(
+  "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*",
+  "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
+)
+
+$FleetEntry = Get-ItemProperty -Path $UninstallPaths -ErrorAction SilentlyContinue |
+Where-Object { $_.DisplayName -like "Fleet osquery*" }
+
+if ($FleetEntry) {
+  Write-Output "[INFO] Fleet osquery found: $($FleetEntry.DisplayName)"
+  $RegKeyPath = $FleetEntry.PSPath
+
+  New-ItemProperty -Path $RegKeyPath -Name "NoRemove" -Value 1 -PropertyType DWord -Force | Out-Null
+  Write-Output "[SET] NoRemove = 1"
+
+  New-ItemProperty -Path $RegKeyPath -Name "NoModify" -Value 1 -PropertyType DWord -Force | Out-Null
+  Write-Output "[SET] NoModify = 1"
+
+  Write-Output "[DONE] Fleet osquery uninstall options hardened."
+}
+else {
+  Write-Output "[WARN] Fleet osquery not found. Nothing changed."
+}
diff --git a/docs/solutions/windows/scripts/Set_ScreenSaverGracePeriod.ps1 b/docs/solutions/Windows/scripts/set screen saver grace period – [ScreenSaverGracePeriod].ps1
similarity index 100%
rename from docs/solutions/windows/scripts/Set_ScreenSaverGracePeriod.ps1
rename to docs/solutions/Windows/scripts/set screen saver grace period – [ScreenSaverGracePeriod].ps1
diff --git a/docs/solutions/account-lock-out.xml b/docs/solutions/account-lock-out.xml
deleted file mode 100644
index 20c7e6ecba..0000000000
--- a/docs/solutions/account-lock-out.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<Add>
-    <Item>
-        <Meta>
-            <Format xmlns="syncml:metinf">chr</Format>
-        </Meta>
-        <Target>
-            <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceLock/AccountLockoutPolicy</LocURI>
-        </Target>
-        <Data>AccountLockoutDuration:30, AccountLockoutThreshold:10, ResetAccountLockoutCounterAfter:3</Data>
-    </Item>
-</Add>
diff --git a/docs/solutions/configuration-profiles/crowdstrike-full-disk-access.mobileconfig b/docs/solutions/macOS/configuration-profiles/crowdstrike-full-disk-access.mobileconfig
similarity index 100%
rename from docs/solutions/configuration-profiles/crowdstrike-full-disk-access.mobileconfig
rename to docs/solutions/macOS/configuration-profiles/crowdstrike-full-disk-access.mobileconfig
diff --git a/docs/solutions/configuration-profiles/crowdstrike-notification.mobileconfig b/docs/solutions/macOS/configuration-profiles/crowdstrike-notification.mobileconfig
similarity index 100%
rename from docs/solutions/configuration-profiles/crowdstrike-notification.mobileconfig
rename to docs/solutions/macOS/configuration-profiles/crowdstrike-notification.mobileconfig
diff --git a/docs/solutions/configuration-profiles/crowdstrike-service-management.mobileconfig b/docs/solutions/macOS/configuration-profiles/crowdstrike-service-management.mobileconfig
similarity index 100%
rename from docs/solutions/configuration-profiles/crowdstrike-service-management.mobileconfig
rename to docs/solutions/macOS/configuration-profiles/crowdstrike-service-management.mobileconfig
diff --git a/docs/solutions/configuration-profiles/crowdstrike-system-extension.mobileconfig b/docs/solutions/macOS/configuration-profiles/crowdstrike-system-extension.mobileconfig
similarity index 100%
rename from docs/solutions/configuration-profiles/crowdstrike-system-extension.mobileconfig
rename to docs/solutions/macOS/configuration-profiles/crowdstrike-system-extension.mobileconfig
diff --git a/docs/solutions/configuration-profiles/crowdstrike-web-filter.mobileconfig b/docs/solutions/macOS/configuration-profiles/crowdstrike-web-filter.mobileconfig
similarity index 100%
rename from docs/solutions/configuration-profiles/crowdstrike-web-filter.mobileconfig
rename to docs/solutions/macOS/configuration-profiles/crowdstrike-web-filter.mobileconfig
diff --git a/docs/solutions/scripts/windows-fleet-hardening.ps1 b/docs/solutions/scripts/windows-fleet-hardening.ps1
deleted file mode 100644
index 0b3ce09f02..0000000000
--- a/docs/solutions/scripts/windows-fleet-hardening.ps1
+++ /dev/null
@@ -1,27 +0,0 @@
-# Prevents uninstall/change of Fleet osquery via Windows UI.
-# Sets NoRemove and NoModify = 1 under Fleet osquery uninstall entry.
-# Hides uninstall/change options across Control Panel and Settings > Apps.
-# Works on all Windows editions.
-
-$UninstallPaths = @(
-    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*",
-    "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
-)
-
-$FleetEntry = Get-ItemProperty -Path $UninstallPaths -ErrorAction SilentlyContinue |
-              Where-Object { $_.DisplayName -like "Fleet osquery*" }
-
-if ($FleetEntry) {
-    Write-Output "[INFO] Fleet osquery found: $($FleetEntry.DisplayName)"
-    $RegKeyPath = $FleetEntry.PSPath
-
-    New-ItemProperty -Path $RegKeyPath -Name "NoRemove" -Value 1 -PropertyType DWord -Force | Out-Null
-    Write-Output "[SET] NoRemove = 1"
-
-    New-ItemProperty -Path $RegKeyPath -Name "NoModify" -Value 1 -PropertyType DWord -Force | Out-Null
-    Write-Output "[SET] NoModify = 1"
-
-    Write-Output "[DONE] Fleet osquery uninstall options hardened."
-} else {
-    Write-Output "[WARN] Fleet osquery not found. Nothing changed."
-}
diff --git a/docs/solutions/windows/configuration-profiles/defender-smartscreen-service-enabled.xml b/docs/solutions/windows/configuration-profiles/defender-smartscreen-service-enabled.xml
deleted file mode 100644
index a21d5f1044..0000000000
--- a/docs/solutions/windows/configuration-profiles/defender-smartscreen-service-enabled.xml
+++ /dev/null
@@ -1,12 +0,0 @@
-<Replace>
-    <!-- Service Enabled key, 1 = enabled -->
-    <Item>
-        <Meta>
-            <Format xmlns="syncml:metinf">int</Format>
-        </Meta>
-        <Target>
-            <LocURI>./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled</LocURI>
-        </Target>
-        <Data>1</Data>
-    </Item>
-</Replace>
diff --git a/docs/solutions/windows/configuration-profiles/okta-attestation-cert.xml b/docs/solutions/windows/configuration-profiles/okta-attestation-cert.xml
deleted file mode 100644
index d7e74dd7d2..0000000000
--- a/docs/solutions/windows/configuration-profiles/okta-attestation-cert.xml
+++ /dev/null
@@ -1,103 +0,0 @@
-<Replace>
-      <!-- Set Node here -->
-      <CmdID>1</CmdID>
-      <Item>
-        <Target>
-          <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify</LocURI>
-        </Target>
-        <Meta>
-          <Format xmlns="syncml:metinf">node</Format>
-        </Meta>
-      </Item>
-    </Replace>
-    <Add>
-    <!-- SCEP URL -->      
-      <CmdID>2</CmdID>
-      <Item>
-        <Target>
-          <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/ServerURL</LocURI>
-        </Target>
-        <Meta>
-          <Format xmlns="syncml:metinf">chr</Format>
-        </Meta>
-        <Data>yourUrlHere</Data>
-      </Item>
-    </Add>
-    <!-- SCEP Challenge -->
-    <Add>
-      <CmdID>3</CmdID>
-      <Item>
-        <Target>
-          <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/Challenge</LocURI>
-        </Target>
-        <Meta>
-          <Format xmlns="syncml:metinf">chr</Format>
-        </Meta>
-        <Data>yourChallengeHere</Data>
-      </Item>
-    </Add>
-    <!-- CN - check Okta doc for required values (https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/devices-client-certificates-faqs.htm) -->
-    <Add>
-      <CmdID>4</CmdID>
-      <Item>
-        <Target>
-          <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/SubjectName</LocURI>
-        </Target>
-        <Meta>
-          <Format xmlns="syncml:metinf">chr</Format>
-        </Meta>
-        <Data>$FLEET_VAR_HOST_UUID </Data>
-      </Item>
-    </Add>
-    <!-- Key Length -->
-    <Add>
-      <CmdID>5</CmdID>
-      <Item>
-        <Target>
-          <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/KeyLength</LocURI>
-        </Target>
-        <Meta>
-          <Format xmlns="syncml:metinf">int</Format>
-        </Meta>
-        <Data>2048</Data>
-      </Item>
-    </Add>
-    <!-- Hash Algorithm -->
-    <Add>
-      <CmdID>6</CmdID>
-      <Item>
-        <Target>
-          <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/HashAlgorithm</LocURI>
-        </Target>
-        <Meta>
-          <Format xmlns="syncml:metinf">chr</Format>
-        </Meta>
-        <Data>SHA256</Data>
-      </Item>
-    </Add>
-    <!-- Key Usage -->
-    <Add>
-      <CmdID>7</CmdID>
-      <Item>
-        <Target>
-          <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/KeyUsage</LocURI>
-        </Target>
-        <Meta>
-          <Format xmlns="syncml:metinf">int</Format>
-        </Meta>
-        <Data>160</Data>
-      </Item>
-    </Add>
-    <!-- Extended Key Usage -->
-    <Add>
-      <CmdID>8</CmdID>
-      <Item>
-        <Target>
-          <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/OktaVerify/Install/EKUMapping</LocURI>
-        </Target>
-        <Meta>
-          <Format xmlns="syncml:metinf">chr</Format>
-        </Meta>
-        <Data>1.3.6.1.5.5.7.3.2</Data>
-      </Item>
-    </Add>
diff --git a/docs/solutions/windows/configuration-profiles/uac-prompt-for-elevation.xml b/docs/solutions/windows/configuration-profiles/uac-prompt-for-elevation.xml
deleted file mode 100644
index 0549f3ba92..0000000000
--- a/docs/solutions/windows/configuration-profiles/uac-prompt-for-elevation.xml
+++ /dev/null
@@ -1,12 +0,0 @@
-<Replace>
-    <!-- User Account Control key, 1 = enabled -->
-    <Item>
-        <Meta>
-            <Format xmlns="syncml:metinf">int</Format>
-        </Meta>
-        <Target>
-            <LocURI>./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation</LocURI>
-        </Target>
-        <Data>1</Data>
-    </Item>
-</Replace>
diff --git a/docs/solutions/windows/configuration-profiles/windows-localpoliciessecurityoptions-disable-adminaccountstatus.xml b/docs/solutions/windows/configuration-profiles/windows-localpoliciessecurityoptions-disable-adminaccountstatus.xml
deleted file mode 100644
index bc91f81d6d..0000000000
--- a/docs/solutions/windows/configuration-profiles/windows-localpoliciessecurityoptions-disable-adminaccountstatus.xml
+++ /dev/null
@@ -1,12 +0,0 @@
-<Replace>
-    <CmdID>1</CmdID>
-    <Item>
-        <Target>
-            <LocURI>./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</LocURI>
-        </Target>
-        <Meta>
-            <Format xmlns="syncml:metinf">int</Format>
-        </Meta>
-        <Data>0</Data>
-    </Item>
-</Replace>