diff --git a/.github/workflows/benchmark_tracking_controller.yml b/.github/workflows/benchmark_tracking_controller.yml
index 0d9f515..039ec0d 100644
--- a/.github/workflows/benchmark_tracking_controller.yml
+++ b/.github/workflows/benchmark_tracking_controller.yml
@@ -1,8 +1,22 @@
 ---
 
 # GitHub schedules all cron jobs in UTC.
-# This expression will run the job every day at 9 AM Eastern Time during Daylight Saving Time (mid-March to early November).
-# This expression will run the job every day at 8 AM Eastern Time during Standard Time (early November to mid-March).
+# ──────────────────────────────────────────────────────────────────────────────
+# Schedule:
+#   - '0 13 * * *' runs at 13:00 UTC every day.
+#   - This corresponds to:
+#       • 9:00 AM Eastern **during Daylight Saving Time** (mid-Mar → early-Nov)
+#       • 8:00 AM Eastern **during Standard Time** (early-Nov → mid-Mar)
+#
+# Job routing:
+#   - call-benchmark-tracker:
+#       • Runs on manual dispatch, and on pushes to the 'latest' branch.
+#   - call-monitor-promotions:
+#       • Runs on schedule or manual dispatch **only in repos named ansible-lockdown/Private-***.
+#       • Skips automatically in public repos (e.g., Windows-2022-CIS) to avoid false failures.
+#
+# Defense-in-depth:
+#   - The called promotion workflow may still keep its own guard to ensure only Private-* repos execute it.
 
 name: Central Benchmark Orchestrator
 
@@ -11,11 +25,12 @@ on:
     branches:
       - latest
   schedule:
-    - cron: '0 6 * * *'  # Runs daily at 9 AM ET
+    - cron: '0 13 * * *'  # 13:00 UTC → 9 AM ET (DST) / 8 AM ET (Standard Time)
   workflow_dispatch:
 
 jobs:
   call-benchmark-tracker:
+    # Run on manual dispatch OR when 'latest' branch receives a push
     if: github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref_name == 'latest')
     name: Start Benchmark Tracker
     uses: ansible-lockdown/github_linux_IaC/.github/workflows/benchmark_track.yml@self_hosted
@@ -27,7 +42,8 @@ jobs:
       DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}
 
   call-monitor-promotions:
-    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    # Run on schedule or manual dispatch, but only for Private-* repos
+    if: (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && startsWith(github.repository, 'ansible-lockdown/Private-')
     name: Monitor Promotions and Auto-Promote
     uses: ansible-lockdown/github_linux_IaC/.github/workflows/benchmark_promote.yml@self_hosted
     with: