From d8865f369ae91a96a45840d669020d8692731728 Mon Sep 17 00:00:00 2001
From: Jake Stenger <myselfjake@gmail.com>
Date: Wed, 22 Oct 2025 19:59:12 -0700
Subject: [PATCH] Doc/solutions/windows cleanup (#34676)

Consolidates all the CSPs from the spreadsheet into one location.
Removes CmdID keys from all CSPs.
---
 ...ollment - [AllowManualMDMUnenrollment].xml |   1 -
 ...llections - [AllowSpotlightCollection].xml |   1 -
 ...yInStandby_2, DCConnectivityInStandby_2].xml |  22 ++
 ...rnetConnectionSharingServiceStartupMode].xml |  11 +
 ...ConfigureMicrosoftFTPServiceStartupMode].xml |  11 +
 ...eProcedureCallLocatorServiceStartupMode].xml |  11 +
 ...outingAndRemoteAccessServiceStartupMode].xml |  11 +
 ...onfigureSSDPDiscoveryServiceStartupMode].xml |  11 +
 ...nfigureUPnPDeviceHostServiceStartupMode].xml |  11 +
 ...ding and Broadcasting – [AllowGameDVR].xml |  12 +
 ...aPlayerNetworkSharingServiceStartupMode].xml |  11 +
 ...eWindowsMobileHotspotServiceStartupMode].xml |  11 +
 ...teAssistance, SolicitedRemoteAssistance].xml |  22 ++
 ...ght features – [AllowWindowsSpotlight].xml |  14 ++
 ...orldWideWebPublishingServiceStartupMode].xml |  11 +
 .../disable Xbox services – [Bundle].xml      |  44 ++++
 ...at Defense – [AutomaticDataCollection].xml |  12 +
 ...counts_EnableAdministratorAccountStatus].xml |   1 -
 ... – [Accounts_EnableGuestAccountStatus].xml |  11 +
 ...[MSIAlwaysInstallWithElevatedPrivileges].xml |  11 +
 ...[MSIAlwaysInstallWithElevatedPrivileges].xml |  11 +
 ...e assistance - [AllowRemoteAssistance].xml |   1 -
 ... login - [AllowUsersToConnectRemotely].xml |  14 ++
 ...le simple TCPIP services – [SimpleTcp].xml |   1 -
 ...eat Defense service – [ServiceEnabled].xml |  12 +
 ...ationInstallationsAndPromptForElevation].xml |  12 +
 ...chool accounts – [NotifyPasswordReuse].xml |  13 ++
 ...cious web activity – [NotifyMalicious].xml |  13 ++
 ...nsafe applications – [NotifyUnsafeApp].xml |  13 ++
 ...all on all network profiles – [Bundle].xml |  72 ++++++
 ...ckout policy – [AccountLockoutPolicy].xml} |   0
 ...sword and lock requirements – [Bundle].xml |  48 ++++
 ...licy – [BootStartDriverInitialization].xml |  11 +
 ...UserFromShowingAccountDetailsOnSignin].xml |   1 -
 ...kta attestation certificate - [Bundle].xml | 220 +++++++++---------
 ...anging date and time – [AllowDateTime].xml |  12 +
 ...NetworkAccess_RestrictAnonymousAccess].xml |   1 -
 .../policies/set time automatically.yml       |   7 +
 ...der settings page – [HideInsiderPage].ps1} |   0
 ... Fleet osquery – [NoRemove, NoModify].ps1} |   0
 40 files changed, 595 insertions(+), 117 deletions(-)
 create mode 100644 docs/solutions/Windows/configuration-profiles/allow network connectivity during connected standby – [ACConnectivityInStandby_2, DCConnectivityInStandby_2].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/disable Internet Connection Sharing service – [ConfigureInternetConnectionSharingServiceStartupMode].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/disable Microsoft FTP Service – [ConfigureMicrosoftFTPServiceStartupMode].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/disable Remote Procedure Call Locator service – [ConfigureRemoteProcedureCallLocatorServiceStartupMode].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/disable Routing and Remote Access service – [ConfigureRoutingAndRemoteAccessServiceStartupMode].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/disable SSDP Discovery Service – [ConfigureSSDPDiscoveryServiceStartupMode].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/disable UPnP Device Host service – [ConfigureUPnPDeviceHostServiceStartupMode].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/disable Windows Game Recording and Broadcasting – [AllowGameDVR].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/disable Windows Media Player Network Sharing Service – [ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/disable Windows Mobile Hotspot Service – [ConfigureWindowsMobileHotspotServiceStartupMode].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/disable Windows Remote Assistance – [UnsolicitedRemoteAssistance, SolicitedRemoteAssistance].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/disable Windows Spotlight features – [AllowWindowsSpotlight].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/disable World Wide Web Publishing Service – [ConfigureWorldWideWebPublishingServiceStartupMode].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/disable Xbox services – [Bundle].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/disable automatic data collection for Web Threat Defense – [AutomaticDataCollection].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/disable built-in Guest account – [Accounts_EnableGuestAccountStatus].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/disable elevated privileges for MSI installations – [MSIAlwaysInstallWithElevatedPrivileges].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/disable elevated privileges for user MSI installations – [MSIAlwaysInstallWithElevatedPrivileges].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/disable remote login - [AllowUsersToConnectRemotely].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/enable Microsoft Web Threat Defense service – [ServiceEnabled].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/enable UAC prompts for application installations – [UserAccountControl_DetectApplicationInstallationsAndPromptForElevation].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/enable password-reuse warnings for work or school accounts – [NotifyPasswordReuse].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/enable user warnings for malicious web activity – [NotifyMalicious].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/enable user warnings for unsafe applications – [NotifyUnsafeApp].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/enforce Windows Defender Firewall on all network profiles – [Bundle].xml
 rename docs/solutions/Windows/configuration-profiles/{account lock out - [AccountLockoutPolicy].xml => enforce account lockout policy – [AccountLockoutPolicy].xml} (100%)
 create mode 100644 docs/solutions/Windows/configuration-profiles/enforce device password and lock requirements – [Bundle].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/enforce secure boot-start driver policy – [BootStartDriverInitialization].xml
 create mode 100644 docs/solutions/Windows/configuration-profiles/prevent users from changing date and time – [AllowDateTime].xml
 create mode 100644 docs/solutions/Windows/policies/set time automatically.yml
 rename docs/solutions/Windows/scripts/{disable-insider-ui-page.ps1 => hide Windows Insider settings page – [HideInsiderPage].ps1} (100%)
 rename docs/solutions/Windows/scripts/{disallow local Fleet osquery modification.ps1 => prevent uninstall or modification of Fleet osquery – [NoRemove, NoModify].ps1} (100%)

diff --git a/docs/solutions/Windows/configuration-profiles/Disallow manual MDM unenrollment - [AllowManualMDMUnenrollment].xml b/docs/solutions/Windows/configuration-profiles/Disallow manual MDM unenrollment - [AllowManualMDMUnenrollment].xml
index 0c4374576b..87a22f6a23 100644
--- a/docs/solutions/Windows/configuration-profiles/Disallow manual MDM unenrollment - [AllowManualMDMUnenrollment].xml	
+++ b/docs/solutions/Windows/configuration-profiles/Disallow manual MDM unenrollment - [AllowManualMDMUnenrollment].xml	
@@ -1,5 +1,4 @@
 <Replace>
-  <CmdID>25</CmdID>
   <Item>
     <Target>
       <LocURI>./Device/Vendor/MSFT/Policy/Config/Experience/AllowManualMDMUnenrollment</LocURI>
diff --git a/docs/solutions/Windows/configuration-profiles/allow Windows Spotlight collections - [AllowSpotlightCollection].xml b/docs/solutions/Windows/configuration-profiles/allow Windows Spotlight collections - [AllowSpotlightCollection].xml
index 4f6ea59d74..cf2e8a9bc8 100644
--- a/docs/solutions/Windows/configuration-profiles/allow Windows Spotlight collections - [AllowSpotlightCollection].xml	
+++ b/docs/solutions/Windows/configuration-profiles/allow Windows Spotlight collections - [AllowSpotlightCollection].xml	
@@ -1,5 +1,4 @@
 <Replace>
-  <CmdID>019a01c6-9e1e-7e70-9c72-21151773f075</CmdID>
   <Item>
     <Meta>
       <Format xmlns="syncml:metinf">int</Format>
diff --git a/docs/solutions/Windows/configuration-profiles/allow network connectivity during connected standby – [ACConnectivityInStandby_2, DCConnectivityInStandby_2].xml b/docs/solutions/Windows/configuration-profiles/allow network connectivity during connected standby – [ACConnectivityInStandby_2, DCConnectivityInStandby_2].xml
new file mode 100644
index 0000000000..9b4a78d950
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/allow network connectivity during connected standby – [ACConnectivityInStandby_2, DCConnectivityInStandby_2].xml	
@@ -0,0 +1,22 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/ADMX_Power/DCConnectivityInStandby_2</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>&lt;enabled/&gt;</Data>
+  </Item>
+</Replace>
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/ADMX_Power/ACConnectivityInStandby_2</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>&lt;enabled/&gt;</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/disable Internet Connection Sharing service – [ConfigureInternetConnectionSharingServiceStartupMode].xml b/docs/solutions/Windows/configuration-profiles/disable Internet Connection Sharing service – [ConfigureInternetConnectionSharingServiceStartupMode].xml
new file mode 100644
index 0000000000..25b0af4f03
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/disable Internet Connection Sharing service – [ConfigureInternetConnectionSharingServiceStartupMode].xml	
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureInternetConnectionSharingServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/disable Microsoft FTP Service – [ConfigureMicrosoftFTPServiceStartupMode].xml b/docs/solutions/Windows/configuration-profiles/disable Microsoft FTP Service – [ConfigureMicrosoftFTPServiceStartupMode].xml
new file mode 100644
index 0000000000..dd4400790c
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/disable Microsoft FTP Service – [ConfigureMicrosoftFTPServiceStartupMode].xml	
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureMicrosoftFTPServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/disable Remote Procedure Call Locator service – [ConfigureRemoteProcedureCallLocatorServiceStartupMode].xml b/docs/solutions/Windows/configuration-profiles/disable Remote Procedure Call Locator service – [ConfigureRemoteProcedureCallLocatorServiceStartupMode].xml
new file mode 100644
index 0000000000..169b529760
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/disable Remote Procedure Call Locator service – [ConfigureRemoteProcedureCallLocatorServiceStartupMode].xml	
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureRemoteProcedureCallLocatorServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/disable Routing and Remote Access service – [ConfigureRoutingAndRemoteAccessServiceStartupMode].xml b/docs/solutions/Windows/configuration-profiles/disable Routing and Remote Access service – [ConfigureRoutingAndRemoteAccessServiceStartupMode].xml
new file mode 100644
index 0000000000..0423e4df70
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/disable Routing and Remote Access service – [ConfigureRoutingAndRemoteAccessServiceStartupMode].xml	
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureRoutingAndRemoteAccessServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/disable SSDP Discovery Service – [ConfigureSSDPDiscoveryServiceStartupMode].xml b/docs/solutions/Windows/configuration-profiles/disable SSDP Discovery Service – [ConfigureSSDPDiscoveryServiceStartupMode].xml
new file mode 100644
index 0000000000..3a1c7e6b33
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/disable SSDP Discovery Service – [ConfigureSSDPDiscoveryServiceStartupMode].xml	
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSSDPDiscoveryServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/disable UPnP Device Host service – [ConfigureUPnPDeviceHostServiceStartupMode].xml b/docs/solutions/Windows/configuration-profiles/disable UPnP Device Host service – [ConfigureUPnPDeviceHostServiceStartupMode].xml
new file mode 100644
index 0000000000..d479e5bc79
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/disable UPnP Device Host service – [ConfigureUPnPDeviceHostServiceStartupMode].xml	
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureUPnPDeviceHostServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/disable Windows Game Recording and Broadcasting – [AllowGameDVR].xml b/docs/solutions/Windows/configuration-profiles/disable Windows Game Recording and Broadcasting – [AllowGameDVR].xml
new file mode 100644
index 0000000000..2918e4ecbc
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/disable Windows Game Recording and Broadcasting – [AllowGameDVR].xml	
@@ -0,0 +1,12 @@
+<Replace>
+  <!-- Disable Windows Game Recording and Broadcasting -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowGameDVR</LocURI>
+    </Target>
+    <Data>0</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/disable Windows Media Player Network Sharing Service – [ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode].xml b/docs/solutions/Windows/configuration-profiles/disable Windows Media Player Network Sharing Service – [ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode].xml
new file mode 100644
index 0000000000..26267e42e1
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/disable Windows Media Player Network Sharing Service – [ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode].xml	
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/disable Windows Mobile Hotspot Service – [ConfigureWindowsMobileHotspotServiceStartupMode].xml b/docs/solutions/Windows/configuration-profiles/disable Windows Mobile Hotspot Service – [ConfigureWindowsMobileHotspotServiceStartupMode].xml
new file mode 100644
index 0000000000..f128d3e279
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/disable Windows Mobile Hotspot Service – [ConfigureWindowsMobileHotspotServiceStartupMode].xml	
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWindowsMobileHotspotServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/disable Windows Remote Assistance – [UnsolicitedRemoteAssistance, SolicitedRemoteAssistance].xml b/docs/solutions/Windows/configuration-profiles/disable Windows Remote Assistance – [UnsolicitedRemoteAssistance, SolicitedRemoteAssistance].xml
new file mode 100644
index 0000000000..3e7f837b35
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/disable Windows Remote Assistance – [UnsolicitedRemoteAssistance, SolicitedRemoteAssistance].xml	
@@ -0,0 +1,22 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/RemoteAssistance/UnsolicitedRemoteAssistance</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>&lt;disabled/&gt;</Data>
+  </Item>
+</Replace>
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/RemoteAssistance/SolicitedRemoteAssistance</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>&lt;disabled/&gt;</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/disable Windows Spotlight features – [AllowWindowsSpotlight].xml b/docs/solutions/Windows/configuration-profiles/disable Windows Spotlight features – [AllowWindowsSpotlight].xml
new file mode 100644
index 0000000000..a065b88a42
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/disable Windows Spotlight features – [AllowWindowsSpotlight].xml	
@@ -0,0 +1,14 @@
+<Replace>
+  <!-- Enabling this policy setting turns off Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features 
+       Enable this policy setting if your goal is to minimize network traffic from target devices. 
+      Read more here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#allowwindowsspotlight -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight</LocURI>
+    </Target>
+    <Data>0</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/disable World Wide Web Publishing Service – [ConfigureWorldWideWebPublishingServiceStartupMode].xml b/docs/solutions/Windows/configuration-profiles/disable World Wide Web Publishing Service – [ConfigureWorldWideWebPublishingServiceStartupMode].xml
new file mode 100644
index 0000000000..53acf49b53
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/disable World Wide Web Publishing Service – [ConfigureWorldWideWebPublishingServiceStartupMode].xml	
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWorldWideWebPublishingServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/disable Xbox services – [Bundle].xml b/docs/solutions/Windows/configuration-profiles/disable Xbox services – [Bundle].xml
new file mode 100644
index 0000000000..2b71b991b2
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/disable Xbox services – [Bundle].xml	
@@ -0,0 +1,44 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>4</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/disable automatic data collection for Web Threat Defense – [AutomaticDataCollection].xml b/docs/solutions/Windows/configuration-profiles/disable automatic data collection for Web Threat Defense – [AutomaticDataCollection].xml
new file mode 100644
index 0000000000..248054c69e
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/disable automatic data collection for Web Threat Defense – [AutomaticDataCollection].xml	
@@ -0,0 +1,12 @@
+<Replace>
+  <!-- Disables automatic data collection for defender smartscreen -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/AutomaticDataCollection</LocURI>
+    </Target>
+    <Data>0</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/disable built-in Administrator account – [Accounts_EnableAdministratorAccountStatus].xml b/docs/solutions/Windows/configuration-profiles/disable built-in Administrator account – [Accounts_EnableAdministratorAccountStatus].xml
index 70563197ba..92341fb60c 100644
--- a/docs/solutions/Windows/configuration-profiles/disable built-in Administrator account – [Accounts_EnableAdministratorAccountStatus].xml	
+++ b/docs/solutions/Windows/configuration-profiles/disable built-in Administrator account – [Accounts_EnableAdministratorAccountStatus].xml	
@@ -1,5 +1,4 @@
 <Replace>
-  <CmdID>1</CmdID>
   <Item>
     <Target>
       <LocURI>./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</LocURI>
diff --git a/docs/solutions/Windows/configuration-profiles/disable built-in Guest account – [Accounts_EnableGuestAccountStatus].xml b/docs/solutions/Windows/configuration-profiles/disable built-in Guest account – [Accounts_EnableGuestAccountStatus].xml
new file mode 100644
index 0000000000..0e3a3c6c6c
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/disable built-in Guest account – [Accounts_EnableGuestAccountStatus].xml	
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</LocURI>
+    </Target>
+    <Data>0</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/disable elevated privileges for MSI installations – [MSIAlwaysInstallWithElevatedPrivileges].xml b/docs/solutions/Windows/configuration-profiles/disable elevated privileges for MSI installations – [MSIAlwaysInstallWithElevatedPrivileges].xml
new file mode 100644
index 0000000000..bbb41ce854
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/disable elevated privileges for MSI installations – [MSIAlwaysInstallWithElevatedPrivileges].xml	
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>0</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/disable elevated privileges for user MSI installations – [MSIAlwaysInstallWithElevatedPrivileges].xml b/docs/solutions/Windows/configuration-profiles/disable elevated privileges for user MSI installations – [MSIAlwaysInstallWithElevatedPrivileges].xml
new file mode 100644
index 0000000000..54196a1b26
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/disable elevated privileges for user MSI installations – [MSIAlwaysInstallWithElevatedPrivileges].xml	
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./User/Vendor/MSFT/Policy/Config/ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>0</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/disable remote assistance - [AllowRemoteAssistance].xml b/docs/solutions/Windows/configuration-profiles/disable remote assistance - [AllowRemoteAssistance].xml
index 75d7047b24..fe71f392cd 100644
--- a/docs/solutions/Windows/configuration-profiles/disable remote assistance - [AllowRemoteAssistance].xml	
+++ b/docs/solutions/Windows/configuration-profiles/disable remote assistance - [AllowRemoteAssistance].xml	
@@ -1,5 +1,4 @@
 <Replace>
-  <CmdID>019a0126-d124-7639-b672-199c12f88d97</CmdID>
   <Item>
     <Target>
       <LocURI>./Device/Vendor/MSFT/Policy/Config/RemoteAssistance/UnsolicitedRemoteAssistance</LocURI>
diff --git a/docs/solutions/Windows/configuration-profiles/disable remote login - [AllowUsersToConnectRemotely].xml b/docs/solutions/Windows/configuration-profiles/disable remote login - [AllowUsersToConnectRemotely].xml
new file mode 100644
index 0000000000..0bca742d0b
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/disable remote login - [AllowUsersToConnectRemotely].xml	
@@ -0,0 +1,14 @@
+<Replace>
+  <!-- Dsiable remote desktop services, an ADMX-backed policy -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/AllowUsersToConnectRemotely</LocURI>
+    </Target>
+    <Data>
+      <![CDATA[<enabled/><data id="SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" value="1"/>]]>
+    </Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/disable simple TCPIP services – [SimpleTcp].xml b/docs/solutions/Windows/configuration-profiles/disable simple TCPIP services – [SimpleTcp].xml
index 2ef7100f0b..7d82794bd2 100644
--- a/docs/solutions/Windows/configuration-profiles/disable simple TCPIP services – [SimpleTcp].xml	
+++ b/docs/solutions/Windows/configuration-profiles/disable simple TCPIP services – [SimpleTcp].xml	
@@ -1,5 +1,4 @@
 <Replace>
-  <CmdID>0199f25b-795f-772e-9037-dd02873185e7</CmdID>
   <Item>
     <Target>
       <LocURI>./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSimpleTCPIPServicesStartupMode</LocURI>
diff --git a/docs/solutions/Windows/configuration-profiles/enable Microsoft Web Threat Defense service – [ServiceEnabled].xml b/docs/solutions/Windows/configuration-profiles/enable Microsoft Web Threat Defense service – [ServiceEnabled].xml
new file mode 100644
index 0000000000..018190b1a7
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/enable Microsoft Web Threat Defense service – [ServiceEnabled].xml	
@@ -0,0 +1,12 @@
+<Replace>
+  <!-- Service Enabled key, 1 = enabled -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled</LocURI>
+    </Target>
+    <Data>1</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/enable UAC prompts for application installations – [UserAccountControl_DetectApplicationInstallationsAndPromptForElevation].xml b/docs/solutions/Windows/configuration-profiles/enable UAC prompts for application installations – [UserAccountControl_DetectApplicationInstallationsAndPromptForElevation].xml
new file mode 100644
index 0000000000..48b576915e
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/enable UAC prompts for application installations – [UserAccountControl_DetectApplicationInstallationsAndPromptForElevation].xml	
@@ -0,0 +1,12 @@
+<Replace>
+  <!-- User Account Control key, 1 = enabled -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation</LocURI>
+    </Target>
+    <Data>1</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/enable password-reuse warnings for work or school accounts – [NotifyPasswordReuse].xml b/docs/solutions/Windows/configuration-profiles/enable password-reuse warnings for work or school accounts – [NotifyPasswordReuse].xml
new file mode 100644
index 0000000000..1a9f714022
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/enable password-reuse warnings for work or school accounts – [NotifyPasswordReuse].xml	
@@ -0,0 +1,13 @@
+<Replace>
+  <!-- Enable Defender SmartScreen to warn users if reusing their work or school
+    password -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyPasswordReuse</LocURI>
+    </Target>
+    <Data>1</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/enable user warnings for malicious web activity – [NotifyMalicious].xml b/docs/solutions/Windows/configuration-profiles/enable user warnings for malicious web activity – [NotifyMalicious].xml
new file mode 100644
index 0000000000..f25304417d
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/enable user warnings for malicious web activity – [NotifyMalicious].xml	
@@ -0,0 +1,13 @@
+<Replace>
+  <!-- Enable Defender SmartScreen to warn users if they type their work or school
+    password into a malicious scenario -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyMalicious</LocURI>
+    </Target>
+    <Data>1</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/enable user warnings for unsafe applications – [NotifyUnsafeApp].xml b/docs/solutions/Windows/configuration-profiles/enable user warnings for unsafe applications – [NotifyUnsafeApp].xml
new file mode 100644
index 0000000000..934db9b232
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/enable user warnings for unsafe applications – [NotifyUnsafeApp].xml	
@@ -0,0 +1,13 @@
+<Replace>
+  <!-- Enable Defender SmartScreen to warn users if they type their work or school password into
+    text editor apps -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyUnsafeApp</LocURI>
+    </Target>
+    <Data>1</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/enforce Windows Defender Firewall on all network profiles – [Bundle].xml b/docs/solutions/Windows/configuration-profiles/enforce Windows Defender Firewall on all network profiles – [Bundle].xml
new file mode 100644
index 0000000000..8188cbb248
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/enforce Windows Defender Firewall on all network profiles – [Bundle].xml	
@@ -0,0 +1,72 @@
+<Replace>
+  <!-- Enable Firewall for Domain Profile -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">bool</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall</LocURI>
+    </Target>
+    <Data>true</Data>
+  </Item>
+</Replace>
+<Replace>
+  <!-- Disable ability for user to override at domain level  -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">bool</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Vendor/MSFT/Firewall/MdmStore/DomainProfile/AllowLocalPolicyMerge</LocURI>
+    </Target>
+    <Data>false</Data>
+  </Item>
+</Replace>
+<Replace>
+  <!-- Enable Firewall for Private Profile -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">bool</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall</LocURI>
+    </Target>
+    <Data>true</Data>
+  </Item>
+</Replace>
+<Replace>
+  <!-- Disable ability for user to override at private profile level  -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">bool</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/AllowLocalPolicyMerge</LocURI>
+    </Target>
+    <Data>false</Data>
+  </Item>
+</Replace>
+<Replace>
+  <!-- Enable Firewall for Public Profile -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">bool</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall</LocURI>
+    </Target>
+    <Data>true</Data>
+  </Item>
+</Replace>
+<Replace>
+  <!-- Disable ability for user to override at public profile level  -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">bool</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Vendor/MSFT/Firewall/MdmStore/PublicProfile/AllowLocalPolicyMerge</LocURI>
+    </Target>
+    <Data>false</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/account lock out - [AccountLockoutPolicy].xml b/docs/solutions/Windows/configuration-profiles/enforce account lockout policy – [AccountLockoutPolicy].xml
similarity index 100%
rename from docs/solutions/Windows/configuration-profiles/account lock out - [AccountLockoutPolicy].xml
rename to docs/solutions/Windows/configuration-profiles/enforce account lockout policy – [AccountLockoutPolicy].xml
diff --git a/docs/solutions/Windows/configuration-profiles/enforce device password and lock requirements – [Bundle].xml b/docs/solutions/Windows/configuration-profiles/enforce device password and lock requirements – [Bundle].xml
new file mode 100644
index 0000000000..3d7d52ded1
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/enforce device password and lock requirements – [Bundle].xml	
@@ -0,0 +1,48 @@
+<Replace>
+  <!-- Enforce screenlock -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled</LocURI>
+    </Target>
+    <Data>0</Data>
+  </Item>
+</Replace>
+<Replace>
+  <!-- Enforce screenlock after 15 minutes -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLock</LocURI>
+    </Target>
+    <Data>15</Data>
+  </Item>
+</Replace>
+<Replace>
+  <!-- Enforce PIN or password length (10 characters) -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordLength</LocURI>
+    </Target>
+    <Data>10</Data>
+  </Item>
+</Replace>
+<Replace>
+  <!-- Enforce PIN or password has at least one lowercase letter and at least one number -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordComplexCharacters</LocURI>
+    </Target>
+    <Data>2</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/enforce secure boot-start driver policy – [BootStartDriverInitialization].xml b/docs/solutions/Windows/configuration-profiles/enforce secure boot-start driver policy – [BootStartDriverInitialization].xml
new file mode 100644
index 0000000000..fcb72c39e8
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/enforce secure boot-start driver policy – [BootStartDriverInitialization].xml	
@@ -0,0 +1,11 @@
+<Replace>
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/System/BootStartDriverInitialization</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>&lt;disabled/&gt;</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/hide account details on sign in - [BlockUserFromShowingAccountDetailsOnSignin].xml b/docs/solutions/Windows/configuration-profiles/hide account details on sign in - [BlockUserFromShowingAccountDetailsOnSignin].xml
index ee0aa85714..da7ca853ac 100644
--- a/docs/solutions/Windows/configuration-profiles/hide account details on sign in - [BlockUserFromShowingAccountDetailsOnSignin].xml	
+++ b/docs/solutions/Windows/configuration-profiles/hide account details on sign in - [BlockUserFromShowingAccountDetailsOnSignin].xml	
@@ -1,5 +1,4 @@
 <Replace>
-  <CmdID>2</CmdID>
   <Item>
     <Meta>
       <Format>chr</Format>
diff --git a/docs/solutions/Windows/configuration-profiles/install Okta attestation certificate - [Bundle].xml b/docs/solutions/Windows/configuration-profiles/install Okta attestation certificate - [Bundle].xml
index c94e47d870..214acebdf7 100644
--- a/docs/solutions/Windows/configuration-profiles/install Okta attestation certificate - [Bundle].xml	
+++ b/docs/solutions/Windows/configuration-profiles/install Okta attestation certificate - [Bundle].xml	
@@ -1,131 +1,131 @@
 <Add>
-        <!-- Name of SCEP node -->
-<Item>
-<Target>
-<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}</LocURI>
-</Target>
-<Meta>
-<Format xmlns="syncml:metinf">node</Format>
-</Meta>
-</Item>
+  <!-- Name of SCEP node -->
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">node</Format>
+    </Meta>
+  </Item>
 </Add>
 <Add>
-        <!-- Retry count for SCEP installation -->
-<Item>
-<Target>
-<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/RetryCount</LocURI>
-</Target>
-<Meta>
-<Format xmlns="syncml:metinf">int</Format>
-</Meta>
-<Data>3</Data>
-</Item>
+  <!-- Retry count for SCEP installation -->
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/RetryCount</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>3</Data>
+  </Item>
 </Add>
 <Add>
-        <!-- Retry delay for SCEP installation -->
-<Item>
-<Target>
-<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/RetryDelay</LocURI>
-</Target>
-<Meta>
-<Format xmlns="syncml:metinf">int</Format>
-</Meta>
-<Data>10</Data>
-</Item>
+  <!-- Retry delay for SCEP installation -->
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/RetryDelay</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>10</Data>
+  </Item>
 </Add>
 <Add>
-        <!-- Key Usage - keep default for Okta -->
-<Item>
-<Target>
-<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/KeyUsage</LocURI>
-</Target>
-<Meta>
-<Format xmlns="syncml:metinf">int</Format>
-</Meta>
-<Data>160</Data>
-</Item>
+  <!-- Key Usage - keep default for Okta -->
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/KeyUsage</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>160</Data>
+  </Item>
 </Add>
 <Add>
-        <!-- Key Length - min 2048 for Okta -->
-<Item>
-<Target>
-<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/KeyLength</LocURI>
-</Target>
-<Meta>
-<Format xmlns="syncml:metinf">int</Format>
-</Meta>
-<Data>2048</Data>
-</Item>
+  <!-- Key Length - min 2048 for Okta -->
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/KeyLength</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Data>2048</Data>
+  </Item>
 </Add>
 <Add>
-        <!-- Hash Algorithm - keep default for Okta -->
-<Item>
-<Target>
-<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/HashAlgorithm</LocURI>
-</Target>
-<Meta>
-<Format xmlns="syncml:metinf">chr</Format>
-</Meta>
-<Data>SHA-1</Data>
-</Item>
+  <!-- Hash Algorithm - keep default for Okta -->
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/HashAlgorithm</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>SHA-1</Data>
+  </Item>
 </Add>
 <Add>
-        <!-- CN - keep default for Okta -->
-<Item>
-<Target>
-<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/SubjectName</LocURI>
-</Target>
-<Meta>
-<Format xmlns="syncml:metinf">chr</Format>
-</Meta>
-<Data>CN=$FLEET_VAR_HOST_UUID managementAttestation</Data>
-</Item>
+  <!-- CN - keep default for Okta -->
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/SubjectName</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>CN=$FLEET_VAR_HOST_UUID managementAttestation</Data>
+  </Item>
 </Add>
 <Add>
-        <!-- Extended Key Usage - keep default for Okta -->
-<Item>
-<Target>
-<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/EKUMapping</LocURI>
-</Target>
-<Meta>
-<Format xmlns="syncml:metinf">chr</Format>
-</Meta>
-<Data>1.3.6.1.4.1.311.10.3.12+1.3.6.1.4.1.311.10.3.4+1.3.6.1.4.1.311.20.2.2+1.3.6.1.5.5.7.3.2</Data>
-</Item>
+  <!-- Extended Key Usage - keep default for Okta -->
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/EKUMapping</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>1.3.6.1.4.1.311.10.3.12+1.3.6.1.4.1.311.10.3.4+1.3.6.1.4.1.311.20.2.2+1.3.6.1.5.5.7.3.2</Data>
+  </Item>
 </Add>
 <Add>
-        <!-- SCEP Server URL -->
-<Item>
-<Target>
-<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/ServerURL</LocURI>
-</Target>
-<Meta>
-<Format xmlns="syncml:metinf">chr</Format>
-</Meta>
-<Data>{{yourScepUrl}}</Data>
-</Item>
+  <!-- SCEP Server URL -->
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/ServerURL</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>{{yourScepUrl}}</Data>
+  </Item>
 </Add>
 <Add>
-        <!-- SCEP Challenge - Does not need to be b64 -->
-<Item>
-<Target>
-<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/Challenge</LocURI>
-</Target>
-<Meta>
-<Format xmlns="syncml:metinf">chr</Format>
-</Meta>
-<Data>{{yourScepChallenge}}</Data>
-</Item>
+  <!-- SCEP Challenge - Does not need to be b64 -->
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/Challenge</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>{{yourScepChallenge}}</Data>
+  </Item>
 </Add>
 <Add>
-        <!-- SCEP CA Thumbprint - Download Okta CA (if using) and specify thumbprint here -->
-<Item>
-<Target>
-<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/CAThumbprint</LocURI>
-</Target>
-<Meta>
-<Format xmlns="syncml:metinf">chr</Format>
-</Meta>
-<Data>{{yourScepCAThumbprint}}</Data>
-</Item>
-</Add>
+  <!-- SCEP CA Thumbprint - Download Okta CA (if using) and specify thumbprint here -->
+  <Item>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{{yourCertName}}/Install/CAThumbprint</LocURI>
+    </Target>
+    <Meta>
+      <Format xmlns="syncml:metinf">chr</Format>
+    </Meta>
+    <Data>{{yourScepCAThumbprint}}</Data>
+  </Item>
+</Add>
\ No newline at end of file
diff --git a/docs/solutions/Windows/configuration-profiles/prevent users from changing date and time – [AllowDateTime].xml b/docs/solutions/Windows/configuration-profiles/prevent users from changing date and time – [AllowDateTime].xml
new file mode 100644
index 0000000000..c22055e0c6
--- /dev/null
+++ b/docs/solutions/Windows/configuration-profiles/prevent users from changing date and time – [AllowDateTime].xml	
@@ -0,0 +1,12 @@
+<Replace>
+  <!-- Disallows the user to change date and time settings -->
+  <Item>
+    <Meta>
+      <Format xmlns="syncml:metinf">int</Format>
+    </Meta>
+    <Target>
+      <LocURI>./Device/Vendor/MSFT/Policy/Config/Settings/AllowDateTime</LocURI>
+    </Target>
+    <Data>0</Data>
+  </Item>
+</Replace>
diff --git a/docs/solutions/Windows/configuration-profiles/restrict Everyone permissions in network access - [NetworkAccess_RestrictAnonymousAccess].xml b/docs/solutions/Windows/configuration-profiles/restrict Everyone permissions in network access - [NetworkAccess_RestrictAnonymousAccess].xml
index f53b77dc9a..12eb9014a4 100644
--- a/docs/solutions/Windows/configuration-profiles/restrict Everyone permissions in network access - [NetworkAccess_RestrictAnonymousAccess].xml	
+++ b/docs/solutions/Windows/configuration-profiles/restrict Everyone permissions in network access - [NetworkAccess_RestrictAnonymousAccess].xml	
@@ -1,5 +1,4 @@
 <Replace>
-  <CmdID>019a01b4-68a6-7aab-a125-fb36dc055a4c</CmdID>
   <Item>
     <Target>
       <LocURI>./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers</LocURI>
diff --git a/docs/solutions/Windows/policies/set time automatically.yml b/docs/solutions/Windows/policies/set time automatically.yml
new file mode 100644
index 0000000000..a891bf0099
--- /dev/null
+++ b/docs/solutions/Windows/policies/set time automatically.yml	
@@ -0,0 +1,7 @@
+- name: Windows - Ensure 'set time automatically' enabled
+  platform: windows
+  description: This policy checks if Windows machines are enabled to automatically set time.
+  resolution: From Settings, enable, "Set Time Automatically". Failures will result in script execution to remediate.
+  query: SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type' AND data = 'NTP';
+  run_script:
+    path: "../lib/enable_ntp.ps1"
\ No newline at end of file
diff --git a/docs/solutions/Windows/scripts/disable-insider-ui-page.ps1 b/docs/solutions/Windows/scripts/hide Windows Insider settings page – [HideInsiderPage].ps1
similarity index 100%
rename from docs/solutions/Windows/scripts/disable-insider-ui-page.ps1
rename to docs/solutions/Windows/scripts/hide Windows Insider settings page – [HideInsiderPage].ps1
diff --git a/docs/solutions/Windows/scripts/disallow local Fleet osquery modification.ps1 b/docs/solutions/Windows/scripts/prevent uninstall or modification of Fleet osquery – [NoRemove, NoModify].ps1
similarity index 100%
rename from docs/solutions/Windows/scripts/disallow local Fleet osquery modification.ps1
rename to docs/solutions/Windows/scripts/prevent uninstall or modification of Fleet osquery – [NoRemove, NoModify].ps1