diff --git a/deploy/docker-compose.test.yml b/deploy/docker-compose.test.yml
index 37c65f1..9881591 100644
--- a/deploy/docker-compose.test.yml
+++ b/deploy/docker-compose.test.yml
@@ -637,14 +637,23 @@ services:
         ipv4_address: 10.30.50.29
     profiles: [deploy-e2e]
 
-  # windows-iis-test: Windows containers run only on Windows hosts per
-  # frozen decision 0.4. Linux CI runners CANNOT run this; the
-  # windows-vendor-e2e CI matrix job runs on windows-latest runners.
-  # Documented limitation. Operators on Linux-only CI use the
-  # //go:build integration && !no_iis opt-out.
+  # windows-iis-test: Windows containers run only on Windows hosts.
+  # CI no longer runs an IIS matrix (per ci-pipeline-cleanup bundle
+  # Phase 6 / frozen decision 0.5 — revises Bundle II decision 0.4).
+  # Two reasons the Windows matrix was deleted: (a) it couldn't
+  # physically work on `windows-latest` GitHub runners (Docker not
+  # started in Windows-containers mode by default; `bridge` network
+  # driver doesn't exist on Windows Docker); (b) all IIS + WinCertStore
+  # vendor-edge tests are t.Log placeholder stubs that exercise no
+  # IIS-specific behavior.
   #
-  # Image not pulled by default (no profile match on Linux); included
-  # here so Windows operators get the same compose surface.
+  # Operators validate IIS + WinCertStore manually on a Windows host
+  # per the playbook at docs/connector-iis.md::Operator validation playbook.
+  #
+  # The sidecar definition stays here under profiles: [deploy-e2e-windows]
+  # so a Windows operator can opt in via:
+  #   docker compose --profile deploy-e2e-windows up -d windows-iis-test
+  # Linux CI never activates this profile.
   windows-iis-test:
     image: mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2022@sha256:8d0b0e651ad514e3fb05978db66f38036118812e1b9314a48f10419cad8a3462
     container_name: certctl-test-iis
diff --git a/docs/connector-iis.md b/docs/connector-iis.md
index 9446226..d30f414 100644
--- a/docs/connector-iis.md
+++ b/docs/connector-iis.md
@@ -128,3 +128,68 @@ hostname.
 
 - [Atomic deploy + post-verify + rollback](deployment-atomicity.md)
 - [Vendor compatibility matrix](deployment-vendor-matrix.md)
+
+## Operator validation playbook (Windows host)
+
+CI no longer runs the IIS + WinCertStore vendor-e2e tests on every
+push. Per ci-pipeline-cleanup bundle frozen decision 0.5 (which
+revises Bundle II decision 0.4), the Windows matrix was deleted
+because (a) it couldn't physically work on `windows-latest` GitHub
+runners (Docker not started in Windows-containers mode by default;
+`bridge` network driver doesn't exist on Windows Docker — uses
+`nat`), and (b) all IIS + WinCertStore vendor-edge tests are
+`t.Log` placeholder stubs that exercise no IIS-specific behavior.
+
+The real IIS connector validation lives in:
+
+1. `internal/connector/target/iis/` unit tests (run on Linux in the
+   regular Go Build & Test job — already green on every push).
+2. This playbook — operator manual smoke against a real Windows host
+   pre-release.
+
+### Prerequisites
+
+- Windows Server 2019 or 2022 host (or Windows 10/11 Pro with Hyper-V)
+- Docker Desktop in Windows containers mode
+  (Settings → "Switch to Windows containers")
+- Go 1.25.9 + git
+
+### Procedure
+
+```powershell
+# Clone + checkout
+git clone https://github.com/shankar0123/certctl.git
+cd certctl
+git fetch --tags
+git checkout v2.X.0  # whichever release is being validated
+
+# Bring up the Windows IIS sidecar
+docker compose --profile deploy-e2e-windows `
+  -f deploy/docker-compose.test.yml `
+  up -d windows-iis-test
+Start-Sleep -Seconds 30
+
+# Run IIS + WinCertStore vendor-edge tests
+$env:INTEGRATION = "1"
+go test -tags integration -race -count=1 `
+  -run 'VendorEdge_(IIS|WinCertStore)' `
+  ./deploy/test/... | Tee-Object -FilePath iis-validation.log
+
+# Tear down
+docker compose --profile deploy-e2e-windows `
+  -f deploy/docker-compose.test.yml `
+  down -v
+```
+
+### Acceptance
+
+Per Bundle II frozen decision 0.14, the IIS / WinCertStore cells in
+`docs/deployment-vendor-matrix.md` flip from "CI" / "pending" → "✓"
+only when ALL of the following are true:
+
+- ≥1 happy-path e2e passes against the real Windows IIS sidecar
+- ≥1 specific-quirk test for that Windows Server version passes
+- This playbook's full procedure ran clean once on a real Windows host
+
+Operator records the validation date + Windows Server version in
+`cowork/<bundle>/iis-validation-receipts.md` for audit trail.
diff --git a/docs/deployment-vendor-matrix.md b/docs/deployment-vendor-matrix.md
index d4a9afa..4bd3668 100644
--- a/docs/deployment-vendor-matrix.md
+++ b/docs/deployment-vendor-matrix.md
@@ -39,15 +39,15 @@ vendor. EOL versions explicitly excluded.
 | **Postfix** | postfix.org | 3.6 | CI | per-listener cert binding | configure cert per-listener block | `TestVendorEdge_Postfix_MultiListenerCertBinding_DeployUpdatesCorrectListener_E2E` |
 | Postfix | postfix.org | 3.8 | CI | (same) | (same) | (same) |
 | **Dovecot** | dovecot.org | 2.3 | CI | submission/submissions port variants | configure both inet_listener blocks | `TestVendorEdge_Dovecot_SubmissionSubmissionsPortVariants_E2E` |
-| **IIS** | microsoft.com | IIS 10 (Server 2019) | pending | Windows-host-only CI; app-pool recycle opt-in | `AppPoolRecycle: true` per-target if needed | `TestVendorEdge_IIS_AppPoolRecycle_OptInForCertChange_E2E` |
-| IIS | microsoft.com | IIS 10 (Server 2022) | pending | (same) | (same) | (same) |
+| **IIS** | microsoft.com | IIS 10 (Server 2019) | operator-playbook | Windows-host-only validation per [operator playbook](connector-iis.md#operator-validation-playbook-windows-host); app-pool recycle opt-in | `AppPoolRecycle: true` per-target if needed | `TestVendorEdge_IIS_AppPoolRecycle_OptInForCertChange_E2E` |
+| IIS | microsoft.com | IIS 10 (Server 2022) | operator-playbook | (same) | (same) | (same) |
 | **F5 BIG-IP** | f5.com | v15.1 LTS | mock | larger cert chain (>4 links) historical issue | use cert chain ≤4 links OR upgrade to v17 | `TestVendorEdge_F5_LargeCertChainHandling_E2E` |
 | F5 BIG-IP | f5.com | v17.0 | mock | (chain limit lifted) | n/a | (same) |
 | F5 BIG-IP | f5.com | v17.5 | mock | (same) | n/a | (same) |
 | **SSH** | openssh.com | OpenSSH 8.x | CI | sftp subsystem may be disabled | connector falls back to scp | `TestVendorEdge_SSH_SFTPSubsystemAbsent_FallsBackToSCP_E2E` |
 | SSH | openssh.com | OpenSSH 9.x | CI | (same) | (same) | (same) |
-| **WinCertStore** | microsoft.com | Windows Server 2019 | pending | cert store ACL: NS vs IIS_IUSRS | configure store ACL per IIS app-pool identity | `TestVendorEdge_WinCertStore_CertStoreACL_NetworkServiceAccess_E2E` |
-| WinCertStore | microsoft.com | Windows Server 2022 | pending | (same) | (same) | (same) |
+| **WinCertStore** | microsoft.com | Windows Server 2019 | operator-playbook | Windows-host-only validation per [operator playbook](connector-iis.md#operator-validation-playbook-windows-host); cert store ACL: NS vs IIS_IUSRS | configure store ACL per IIS app-pool identity | `TestVendorEdge_WinCertStore_CertStoreACL_NetworkServiceAccess_E2E` |
+| WinCertStore | microsoft.com | Windows Server 2022 | operator-playbook | (same) | (same) | (same) |
 | **JavaKeystore** | adoptium.net | JDK 11 LTS | pending | keytool `-importkeystore` semantics | use `KeytoolPath` config to pin to JDK | `TestVendorEdge_JavaKeystore_JDK11_vs_17_vs_21_KeytoolBehavior_E2E` |
 | JavaKeystore | adoptium.net | JDK 17 LTS | pending | (same) | (same) | (same) |
 | JavaKeystore | adoptium.net | JDK 21 LTS | pending | (same) | (same) | (same) |