If your goal is to phase out local accounts and force microsoft.com logins as part of the computer setup, being able to trust your certificates seems like a prerequisite to being able to trust your users. And the correct time is a prerequisite to trusting your certificates.
This makes no sense..? If the admin wants to change the clock to something else and make their certs invalid, they can always do so. It's just for getting an initial handshake, and then after that NTP should keep working (at least until the next reset with a dead CMOS battery).
There's no way for the server to accurately determine the client's hardware clock, barring some sort of user-hostile hardware clock with a nuclear battery or hardened GPS or radio time receiver or something.
