MicrosoftHotCakeX :
The key point first: every single SCT baseline for Windows since Win8.1/WS2012R2 recommends the secure "Enabled" setting, and explicitly configures it that way if you import the provided GPO backups to local or domain GPO. The only provision that the SCT baseline tools offer to automate configuring it to "Disabled" is to run the local-install script you mentioned with the "NonDomainJoined" switch explicitly specified, which applies the delta switching the setting from "Enabled" to "Disabled." In other words, if you do not explicitly choose the option that includes the "Disabled" choice, you will get the explicit "Enabled" setting which enforces the Windows default. (The registry value is not present otherwise.)
To your other points:
The SCT baselines only apply configuration changes- they don't perform verifications or report results other than whether settings were applied. (Same is true of the CIS benchmarks and DISA STIGs, FWIW.) Separate tooling is required to perform verifications. (And defining "insecure administration methods" would have to cover a far broader area than we've been talking about here.)
The line of script to disable the Xbox task was a one-off / last resort and something that's generally avoided. Unlike all the other settings in the baselines, it's not continually enforced the way local/domain GPOs are, so it gets configured only when one runs the script to install the baseline to a local machine; if the baseline is enforced from domain GPO that recommendation never even gets implemented. Service startup configuration is part of the GPOs' security templates (not from the PowerShell scripts), so it can be continually enforced.
