Doc/solutions/windows cleanup (#34676)

Consolidates all the CSPs from the spreadsheet into one location. Removes CmdID keys from all CSPs.
2026-05-24 09:28:54 +00:00 · 2025-10-22 19:59:12 -07:00 · 2025-10-22 19:59:12 -07:00 · d8865f369a
commit d8865f369a
parent 346da470b8
40 changed files with 595 additions and 117 deletions
--- a/docs/solutions/Windows/configuration-profiles/Disallow
+++ b/docs/solutions/Windows/configuration-profiles/Disallow
@ -1,5 +1,4 @@
 <Replace>
-  <CmdID>25</CmdID>
  <Item>
    <Target>
      <LocURI>./Device/Vendor/MSFT/Policy/Config/Experience/AllowManualMDMUnenrollment</LocURI>
--- a/docs/solutions/Windows/configuration-profiles/allow
+++ b/docs/solutions/Windows/configuration-profiles/allow
@ -1,5 +1,4 @@
 <Replace>
-  <CmdID>019a01c6-9e1e-7e70-9c72-21151773f075</CmdID>
  <Item>
    <Meta>
      <Format xmlns="syncml:metinf">int</Format>
--- a/docs/solutions/Windows/configuration-profiles/allow
+++ b/docs/solutions/Windows/configuration-profiles/allow
@ -0,0 +1,22 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/ADMX_Power/DCConnectivityInStandby_2</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>&lt;enabled/&gt;</Data>
+  </Item>
+</Replace>
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/ADMX_Power/ACConnectivityInStandby_2</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>&lt;enabled/&gt;</Data>
+  </Item>
+</Replace>
--- a/[ConfigureInternetConnectionSharingServiceStartupMode].xml
+++ b/[ConfigureInternetConnectionSharingServiceStartupMode].xml
@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureInternetConnectionSharingServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
--- a/docs/solutions/Windows/configuration-profiles/disable
+++ b/docs/solutions/Windows/configuration-profiles/disable
@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureMicrosoftFTPServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
--- a/[ConfigureRemoteProcedureCallLocatorServiceStartupMode].xml
+++ b/[ConfigureRemoteProcedureCallLocatorServiceStartupMode].xml
@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureRemoteProcedureCallLocatorServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
--- a/[ConfigureRoutingAndRemoteAccessServiceStartupMode].xml
+++ b/[ConfigureRoutingAndRemoteAccessServiceStartupMode].xml
@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureRoutingAndRemoteAccessServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
--- a/docs/solutions/Windows/configuration-profiles/disable
+++ b/docs/solutions/Windows/configuration-profiles/disable
@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSSDPDiscoveryServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
--- a/docs/solutions/Windows/configuration-profiles/disable
+++ b/docs/solutions/Windows/configuration-profiles/disable
@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureUPnPDeviceHostServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
--- a/docs/solutions/Windows/configuration-profiles/disable
+++ b/docs/solutions/Windows/configuration-profiles/disable
@ -0,0 +1,12 @@
+<Replace>
+  <!-- Disable Windows Game Recording and Broadcasting -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowGameDVR</LocURI>
+    </Target>
+    <Data>0</Data>
+  </Item>
+</Replace>
--- a/[ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode].xml
+++ b/[ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode].xml
@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
--- a/[ConfigureWindowsMobileHotspotServiceStartupMode].xml
+++ b/[ConfigureWindowsMobileHotspotServiceStartupMode].xml
@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWindowsMobileHotspotServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
--- a/docs/solutions/Windows/configuration-profiles/disable
+++ b/docs/solutions/Windows/configuration-profiles/disable
@ -0,0 +1,22 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/RemoteAssistance/UnsolicitedRemoteAssistance</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>&lt;disabled/&gt;</Data>
+  </Item>
+</Replace>
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/RemoteAssistance/SolicitedRemoteAssistance</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>&lt;disabled/&gt;</Data>
+  </Item>
+</Replace>
--- a/docs/solutions/Windows/configuration-profiles/disable
+++ b/docs/solutions/Windows/configuration-profiles/disable
@ -0,0 +1,14 @@
+<Replace>
+  <!-- Enabling this policy setting turns off Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features 
+       Enable this policy setting if your goal is to minimize network traffic from target devices. 
+      Read more here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#allowwindowsspotlight -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight</LocURI>
+    </Target>
+    <Data>0</Data>
+  </Item>
+</Replace>
--- a/[ConfigureWorldWideWebPublishingServiceStartupMode].xml
+++ b/[ConfigureWorldWideWebPublishingServiceStartupMode].xml
@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWorldWideWebPublishingServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
--- a/docs/solutions/Windows/configuration-profiles/disable
+++ b/docs/solutions/Windows/configuration-profiles/disable
@ -0,0 +1,44 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
--- a/docs/solutions/Windows/configuration-profiles/disable
+++ b/docs/solutions/Windows/configuration-profiles/disable
@ -0,0 +1,12 @@
+<Replace>
+  <!-- Disables automatic data collection for defender smartscreen -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/AutomaticDataCollection</LocURI>
+    </Target>
+    <Data>0</Data>
+  </Item>
+</Replace>
--- a/docs/solutions/Windows/configuration-profiles/disable
+++ b/docs/solutions/Windows/configuration-profiles/disable
@ -1,5 +1,4 @@
 <Replace>
-  <CmdID>1</CmdID>
  <Item>
    <Target>
      <LocURI>./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</LocURI>
--- a/docs/solutions/Windows/configuration-profiles/disable
+++ b/docs/solutions/Windows/configuration-profiles/disable
@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</LocURI>
+    </Target>
+    <Data>0</Data>
+  </Item>
+</Replace>
--- a/docs/solutions/Windows/configuration-profiles/disable
+++ b/docs/solutions/Windows/configuration-profiles/disable
@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>0</Data>
+  </Item>
+</Replace>
--- a/docs/solutions/Windows/configuration-profiles/disable
+++ b/docs/solutions/Windows/configuration-profiles/disable
@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./User/Vendor/MSFT/Policy/Config/ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>0</Data>
+  </Item>
+</Replace>
--- a/docs/solutions/Windows/configuration-profiles/disable
+++ b/docs/solutions/Windows/configuration-profiles/disable
@ -1,5 +1,4 @@
 <Replace>
-  <CmdID>019a0126-d124-7639-b672-199c12f88d97</CmdID>
  <Item>
    <Target>
      <LocURI>./Device/Vendor/MSFT/Policy/Config/RemoteAssistance/UnsolicitedRemoteAssistance</LocURI>
--- a/docs/solutions/Windows/configuration-profiles/disable
+++ b/docs/solutions/Windows/configuration-profiles/disable
@ -0,0 +1,14 @@
+<Replace>
+  <!-- Dsiable remote desktop services, an ADMX-backed policy -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/AllowUsersToConnectRemotely</LocURI>
+    </Target>
+    <Data>
+      <![CDATA[<enabled/><data id="SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" value="1"/>]]>
+    </Data>
+  </Item>
+</Replace>
--- a/docs/solutions/Windows/configuration-profiles/disable
+++ b/docs/solutions/Windows/configuration-profiles/disable
@ -1,5 +1,4 @@
 <Replace>
-  <CmdID>0199f25b-795f-772e-9037-dd02873185e7</CmdID>
  <Item>
    <Target>
      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSimpleTCPIPServicesStartupMode</LocURI>
--- a/docs/solutions/Windows/configuration-profiles/enable
+++ b/docs/solutions/Windows/configuration-profiles/enable
@ -0,0 +1,12 @@
+<Replace>
+  <!-- Service Enabled key, 1 = enabled -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled</LocURI>
+    </Target>
+    <Data>1</Data>
+  </Item>
+</Replace>
--- a/[UserAccountControl_DetectApplicationInstallationsAndPromptForElevation].xml
+++ b/[UserAccountControl_DetectApplicationInstallationsAndPromptForElevation].xml
@ -0,0 +1,12 @@
+<Replace>
+  <!-- User Account Control key, 1 = enabled -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation</LocURI>
+    </Target>
+    <Data>1</Data>
+  </Item>
+</Replace>
--- a/docs/solutions/Windows/configuration-profiles/enable
+++ b/docs/solutions/Windows/configuration-profiles/enable
@ -0,0 +1,13 @@
+<Replace>
+  <!-- Enable Defender SmartScreen to warn users if reusing their work or school
+    password -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyPasswordReuse</LocURI>
+    </Target>
+    <Data>1</Data>
+  </Item>
+</Replace>
--- a/docs/solutions/Windows/configuration-profiles/enable
+++ b/docs/solutions/Windows/configuration-profiles/enable
@ -0,0 +1,13 @@
+<Replace>
+  <!-- Enable Defender SmartScreen to warn users if they type their work or school
+    password into a malicious scenario -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyMalicious</LocURI>
+    </Target>
+    <Data>1</Data>
+  </Item>
+</Replace>
--- a/docs/solutions/Windows/configuration-profiles/enable
+++ b/docs/solutions/Windows/configuration-profiles/enable
@ -0,0 +1,13 @@
+<Replace>
+  <!-- Enable Defender SmartScreen to warn users if they type their work or school password into
+    text editor apps -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyUnsafeApp</LocURI>
+    </Target>
+    <Data>1</Data>
+  </Item>
+</Replace>
--- a/docs/solutions/Windows/configuration-profiles/enforce
+++ b/docs/solutions/Windows/configuration-profiles/enforce
@ -0,0 +1,72 @@
+<Replace>
+  <!-- Enable Firewall for Domain Profile -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">bool</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall</LocURI>
+    </Target>
+    <Data>true</Data>
+  </Item>
+</Replace>
+<Replace>
+  <!-- Disable ability for user to override at domain level  -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">bool</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Vendor/MSFT/Firewall/MdmStore/DomainProfile/AllowLocalPolicyMerge</LocURI>
+    </Target>
+    <Data>false</Data>
+  </Item>
+</Replace>
+<Replace>
+  <!-- Enable Firewall for Private Profile -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">bool</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall</LocURI>
+    </Target>
+    <Data>true</Data>
+  </Item>
+</Replace>
+<Replace>
+  <!-- Disable ability for user to override at private profile level  -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">bool</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/AllowLocalPolicyMerge</LocURI>
+    </Target>
+    <Data>false</Data>
+  </Item>
+</Replace>
+<Replace>
+  <!-- Enable Firewall for Public Profile -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">bool</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall</LocURI>
+    </Target>
+    <Data>true</Data>
+  </Item>
+</Replace>
+<Replace>
+  <!-- Disable ability for user to override at public profile level  -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">bool</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Vendor/MSFT/Firewall/MdmStore/PublicProfile/AllowLocalPolicyMerge</LocURI>
+    </Target>
+    <Data>false</Data>
+  </Item>
+</Replace>
--- a/docs/solutions/Windows/configuration-profiles/enforce
+++ b/docs/solutions/Windows/configuration-profiles/enforce
--- a/docs/solutions/Windows/configuration-profiles/enforce
+++ b/docs/solutions/Windows/configuration-profiles/enforce
@ -0,0 +1,48 @@
+<Replace>
+  <!-- Enforce screenlock -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled</LocURI>
+    </Target>
+    <Data>0</Data>
+  </Item>
+</Replace>
+<Replace>
+  <!-- Enforce screenlock after 15 minutes -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLock</LocURI>
+    </Target>
+    <Data>15</Data>
+  </Item>
+</Replace>
+<Replace>
+  <!-- Enforce PIN or password length (10 characters) -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordLength</LocURI>
+    </Target>
+    <Data>10</Data>
+  </Item>
+</Replace>
+<Replace>
+  <!-- Enforce PIN or password has at least one lowercase letter and at least one number -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordComplexCharacters</LocURI>
+    </Target>
+    <Data>2</Data>
+  </Item>
+</Replace>
--- a/docs/solutions/Windows/configuration-profiles/enforce
+++ b/docs/solutions/Windows/configuration-profiles/enforce
@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/System/BootStartDriverInitialization</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>&lt;disabled/&gt;</Data>
+  </Item>
+</Replace>
--- a/docs/solutions/Windows/configuration-profiles/hide
+++ b/docs/solutions/Windows/configuration-profiles/hide
@ -1,5 +1,4 @@
 <Replace>
-  <CmdID>2</CmdID>
  <Item>
    <Meta>
      <Format>chr</Format>
--- a/docs/solutions/Windows/configuration-profiles/install
+++ b/docs/solutions/Windows/configuration-profiles/install
@ -1,131 +1,131 @@
 <Add>
-        <!-- Name of SCEP node -->
-<Item>
-<Target>
-<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}</LocURI>
-</Target>
-<Meta>
-<Format xmlns="syncml:metinf">node</Format>
-</Meta>
-</Item>
+  <!-- Name of SCEP node -->
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">node</Format>
+    </Meta>
+  </Item>
 </Add>
 <Add>
-        <!-- Retry count for SCEP installation -->
-<Item>
-<Target>
-<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/RetryCount</LocURI>
-</Target>
-<Meta>
-<Format xmlns="syncml:metinf">int</Format>
-</Meta>
-<Data>3</Data>
-</Item>
+  <!-- Retry count for SCEP installation -->
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/RetryCount</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>3</Data>
+  </Item>
 </Add>
 <Add>
-        <!-- Retry delay for SCEP installation -->
-<Item>
-<Target>
-<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/RetryDelay</LocURI>
-</Target>
-<Meta>
-<Format xmlns="syncml:metinf">int</Format>
-</Meta>
-<Data>10</Data>
-</Item>
+  <!-- Retry delay for SCEP installation -->
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/RetryDelay</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>10</Data>
+  </Item>
 </Add>
 <Add>
-        <!-- Key Usage - keep default for Okta -->
-<Item>
-<Target>
-<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/KeyUsage</LocURI>
-</Target>
-<Meta>
-<Format xmlns="syncml:metinf">int</Format>
-</Meta>
-<Data>160</Data>
-</Item>
+  <!-- Key Usage - keep default for Okta -->
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/KeyUsage</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>160</Data>
+  </Item>
 </Add>
 <Add>
-        <!-- Key Length - min 2048 for Okta -->
-<Item>
-<Target>
-<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/KeyLength</LocURI>
-</Target>
-<Meta>
-<Format xmlns="syncml:metinf">int</Format>
-</Meta>
-<Data>2048</Data>
-</Item>
+  <!-- Key Length - min 2048 for Okta -->
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/KeyLength</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>2048</Data>
+  </Item>
 </Add>
 <Add>
-        <!-- Hash Algorithm - keep default for Okta -->
-<Item>
-<Target>
-<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/HashAlgorithm</LocURI>
-</Target>
-<Meta>
-<Format xmlns="syncml:metinf">chr</Format>
-</Meta>
-<Data>SHA-1</Data>
-</Item>
+  <!-- Hash Algorithm - keep default for Okta -->
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/HashAlgorithm</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>SHA-1</Data>
+  </Item>
 </Add>
 <Add>
-        <!-- CN - keep default for Okta -->
-<Item>
-<Target>
-<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/SubjectName</LocURI>
-</Target>
-<Meta>
-<Format xmlns="syncml:metinf">chr</Format>
-</Meta>
-<Data>CN=$FLEET_VAR_HOST_UUID managementAttestation</Data>
-</Item>
+  <!-- CN - keep default for Okta -->
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/SubjectName</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>CN=$FLEET_VAR_HOST_UUID managementAttestation</Data>
+  </Item>
 </Add>
 <Add>
-        <!-- Extended Key Usage - keep default for Okta -->
-<Item>
-<Target>
-<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/EKUMapping</LocURI>
-</Target>
-<Meta>
-<Format xmlns="syncml:metinf">chr</Format>
-</Meta>
-<Data>1.3.6.1.4.1.311.10.3.12+1.3.6.1.4.1.311.10.3.4+1.3.6.1.4.1.311.20.2.2+1.3.6.1.5.5.7.3.2</Data>
-</Item>
+  <!-- Extended Key Usage - keep default for Okta -->
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/EKUMapping</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>1.3.6.1.4.1.311.10.3.12+1.3.6.1.4.1.311.10.3.4+1.3.6.1.4.1.311.20.2.2+1.3.6.1.5.5.7.3.2</Data>
+  </Item>
 </Add>
 <Add>
-        <!-- SCEP Server URL -->
-<Item>
-<Target>
-<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/ServerURL</LocURI>
-</Target>
-<Meta>
-<Format xmlns="syncml:metinf">chr</Format>
-</Meta>
-<Data>{{yourScepUrl}}</Data>
-</Item>
+  <!-- SCEP Server URL -->
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/ServerURL</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>{{yourScepUrl}}</Data>
+  </Item>
 </Add>
 <Add>
-        <!-- SCEP Challenge - Does not need to be b64 -->
-<Item>
-<Target>
-<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/Challenge</LocURI>
-</Target>
-<Meta>
-<Format xmlns="syncml:metinf">chr</Format>
-</Meta>
-<Data>{{yourScepChallenge}}</Data>
-</Item>
+  <!-- SCEP Challenge - Does not need to be b64 -->
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/Challenge</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>{{yourScepChallenge}}</Data>
+  </Item>
 </Add>
 <Add>
-        <!-- SCEP CA Thumbprint - Download Okta CA (if using) and specify thumbprint here -->
-<Item>
-<Target>
-<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/CAThumbprint</LocURI>
-</Target>
-<Meta>
-<Format xmlns="syncml:metinf">chr</Format>
-</Meta>
-<Data>{{yourScepCAThumbprint}}</Data>
-</Item>
-</Add>
+  <!-- SCEP CA Thumbprint - Download Okta CA (if using) and specify thumbprint here -->
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/CAThumbprint</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>{{yourScepCAThumbprint}}</Data>
+  </Item>
+</Add>
--- a/docs/solutions/Windows/configuration-profiles/prevent
+++ b/docs/solutions/Windows/configuration-profiles/prevent
@ -0,0 +1,12 @@
+<Replace>
+  <!-- Disallows the user to change date and time settings -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/Settings/AllowDateTime</LocURI>
+    </Target>
+    <Data>0</Data>
+  </Item>
+</Replace>
--- a/docs/solutions/Windows/configuration-profiles/restrict
+++ b/docs/solutions/Windows/configuration-profiles/restrict
@ -1,5 +1,4 @@
 <Replace>
-  <CmdID>019a01b4-68a6-7aab-a125-fb36dc055a4c</CmdID>
  <Item>
    <Target>
      <LocURI>./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers</LocURI>
--- a/docs/solutions/Windows/policies/set
+++ b/docs/solutions/Windows/policies/set
@ -0,0 +1,7 @@
+- name: Windows - Ensure 'set time automatically' enabled
+  platform: windows
+  description: This policy checks if Windows machines are enabled to automatically set time.
+  resolution: From Settings, enable, "Set Time Automatically". Failures will result in script execution to remediate.
+  query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type' AND data = 'NTP';
+  run_script:
+    path: "../lib/enable_ntp.ps1"
--- a/docs/solutions/Windows/scripts/disable-insider-ui-page.ps1
+++ b/docs/solutions/Windows/scripts/disable-insider-ui-page.ps1
--- a/docs/solutions/Windows/scripts/disallow
+++ b/docs/solutions/Windows/scripts/disallow