$xml = @'
<?xml version="1.0" encoding="utf-8"?>
<ScheduledTasks clsid="{CC63F200-7309-4ba0-B154-A71CD118DBCC}">
<TaskV2 clsid="{D8896631-B747-47a7-84A6-C155337F3BC8}"
name="Deploy Sysmon"
image="0"
changed="2026-06-05 18:27:29"
uid="{CCB30FE8-E8DD-44F2-8C8E-FD831F9949B3}">
<Properties action="C"
name="Deploy Sysmon"
runAs="NT AUTHORITY\System"
logonType="S4U">
<Task version="1.3">
<RegistrationInfo>
<Author>CORP\Administrator</Author>
<Description>Installs Sysmon64 with sysmon-modular config at startup via SYSVOL</Description>
</RegistrationInfo>
<Principals>
<Principal id="Author">
<UserId>NT AUTHORITY\System</UserId>
<LogonType>S4U</LogonType>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>false</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>true</Hidden>
<ExecutionTimeLimit>PT5M</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Triggers>
<BootTrigger>
<Enabled>true</Enabled>
<Delay>PT1M</Delay>
</BootTrigger>
</Triggers>
<Actions Context="Author">
<Exec>
<Command>powershell.exe</Command>
<Arguments>-NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File "\\DC01\SYSVOL\corp.lab.lan\scripts\sysmon-install.ps1"</Arguments>
</Exec>
</Actions>
</Task>
</Properties>
</TaskV2>
</ScheduledTasks>
'@
$xml | Out-File "C:\Windows\SYSVOL\sysvol\corp.lab.lan\Policies\{D90147A5-06F9-4181-8D77-A6FE38A59352}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml" -Encoding UTF8