mattifestation/NanoServerBareMetalCI.xml

## NanoServerBareMetalCI.xml
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>1.0.0.0</VersionEx>
  <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <Rules>
    <Rule>
      <Option>Enabled:Unsigned System Integrity Policy</Option>
    </Rule>
    <Rule>
      <Option>Enabled:Advanced Boot Options Menu</Option>
    </Rule>
    <Rule>
      <Option>Enabled:UMCI</Option>
    </Rule>
    <Rule>
      <Option>Disabled:Flight Signing</Option>
    </Rule>
  </Rules>
  <!--EKUS-->
  <EKUs />
  <!--File Rules-->
  <FileRules>
    <!--This is the only non-OEM, 3rd party driver I needed for my Intel NUC-->
    <!--I was very specific with this driver rule but flexible with all other MS drivers.-->
    <FileAttrib ID="ID_FILEATTRIB_F_1" FriendlyName="e1d64x64.sys FileAttribute" FileName="e1d64x64.sys" MinimumFileVersion="12.15.22.3" />
  </FileRules>
  <!--Signers-->
  <Signers>
    <Signer ID="ID_SIGNER_F_1" Name="Intel External Basic Policy CA">
      <CertRoot Type="TBS" Value="53B052BA209C525233293274854B264BC0F68B73" />
      <CertPublisher Value="Intel(R) INTELNPG1" />
      <FileAttribRef RuleID="ID_FILEATTRIB_F_1" />
    </Signer>
    <Signer ID="ID_SIGNER_F_2" Name="Microsoft Windows Third Party Component CA 2012">
      <CertRoot Type="TBS" Value="CEC1AFD0E310C55C1DCC601AB8E172917706AA32FB5EAF826813547FDF02DD46" />
      <CertPublisher Value="Microsoft Windows Hardware Compatibility Publisher" />
      <FileAttribRef RuleID="ID_FILEATTRIB_F_1" />
    </Signer>
    <Signer ID="ID_SIGNER_S_3" Name="Microsoft Windows Production PCA 2011">
      <CertRoot Type="TBS" Value="4E80BE107C860DE896384B3EFF50504DC2D76AC7151DF3102A4450637A032146" />
      <CertPublisher Value="Microsoft Windows" />
    </Signer>
    <Signer ID="ID_SIGNER_S_4" Name="Microsoft Code Signing PCA">
      <CertRoot Type="TBS" Value="27543A3F7612DE2261C7228321722402F63A07DE" />
      <CertPublisher Value="Microsoft Corporation" />
    </Signer>
    <Signer ID="ID_SIGNER_S_5" Name="Microsoft Code Signing PCA 2011">
      <CertRoot Type="TBS" Value="F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E" />
      <CertPublisher Value="Microsoft Corporation" />
    </Signer>
    <Signer ID="ID_SIGNER_S_6" Name="Microsoft Windows Production PCA 2011">
      <CertRoot Type="TBS" Value="4E80BE107C860DE896384B3EFF50504DC2D76AC7151DF3102A4450637A032146" />
      <CertPublisher Value="Microsoft Windows Publisher" />
    </Signer>
    <Signer ID="ID_SIGNER_S_2" Name="Microsoft Windows Production PCA 2011">
      <CertRoot Type="TBS" Value="4E80BE107C860DE896384B3EFF50504DC2D76AC7151DF3102A4450637A032146" />
      <CertPublisher Value="Microsoft Windows" />
    </Signer>
    <Signer ID="ID_SIGNER_S_1" Name="Microsoft Code Signing PCA 2010">
      <CertRoot Type="TBS" Value="121AF4B922A74247EA49DF50DE37609CC1451A1FE06B2CB7E1E079B492BD8195" />
    </Signer>
  </Signers>
  <!--Driver Signing Scenarios-->
  <SigningScenarios>
    <SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Kernel-mode rules">
      <ProductSigners>
        <AllowedSigners>
          <AllowedSigner SignerId="ID_SIGNER_S_1" />
          <AllowedSigner SignerId="ID_SIGNER_S_2" />
          <AllowedSigner SignerId="ID_SIGNER_F_1" />
          <AllowedSigner SignerId="ID_SIGNER_F_2" />
        </AllowedSigners>
      </ProductSigners>
    </SigningScenario>
    <SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="User-mode rules">
      <ProductSigners>
        <AllowedSigners>
          <AllowedSigner SignerId="ID_SIGNER_S_3" />
          <AllowedSigner SignerId="ID_SIGNER_S_4" />
          <AllowedSigner SignerId="ID_SIGNER_S_5" />
          <AllowedSigner SignerId="ID_SIGNER_S_6" />
        </AllowedSigners>
      </ProductSigners>
    </SigningScenario>
  </SigningScenarios>
  <UpdatePolicySigners />
  <CiSigners>
    <CiSigner SignerId="ID_SIGNER_S_3" />
    <CiSigner SignerId="ID_SIGNER_S_4" />
    <CiSigner SignerId="ID_SIGNER_S_5" />
    <CiSigner SignerId="ID_SIGNER_S_6" />
  </CiSigners>
  <HvciOptions>0</HvciOptions>
</SiPolicy>
	<?xml version="1.0" encoding="utf-8"?>
	<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
	<VersionEx>1.0.0.0</VersionEx>
	<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
	<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
	<Rules>
	<Rule>
	<Option>Enabled:Unsigned System Integrity Policy</Option>
	</Rule>
	<Rule>
	<Option>Enabled:Advanced Boot Options Menu</Option>
	</Rule>
	<Rule>
	<Option>Enabled:UMCI</Option>
	</Rule>
	<Rule>
	<Option>Disabled:Flight Signing</Option>
	</Rule>
	</Rules>
	<!--EKUS-->
	<EKUs />
	<!--File Rules-->
	<FileRules>
	<!--This is the only non-OEM, 3rd party driver I needed for my Intel NUC-->
	<!--I was very specific with this driver rule but flexible with all other MS drivers.-->
	<FileAttrib ID="ID_FILEATTRIB_F_1" FriendlyName="e1d64x64.sys FileAttribute" FileName="e1d64x64.sys" MinimumFileVersion="12.15.22.3" />
	</FileRules>
	<!--Signers-->
	<Signers>
	<Signer ID="ID_SIGNER_F_1" Name="Intel External Basic Policy CA">
	<CertRoot Type="TBS" Value="53B052BA209C525233293274854B264BC0F68B73" />
	<CertPublisher Value="Intel(R) INTELNPG1" />
	<FileAttribRef RuleID="ID_FILEATTRIB_F_1" />
	</Signer>
	<Signer ID="ID_SIGNER_F_2" Name="Microsoft Windows Third Party Component CA 2012">
	<CertRoot Type="TBS" Value="CEC1AFD0E310C55C1DCC601AB8E172917706AA32FB5EAF826813547FDF02DD46" />
	<CertPublisher Value="Microsoft Windows Hardware Compatibility Publisher" />
	<FileAttribRef RuleID="ID_FILEATTRIB_F_1" />
	</Signer>
	<Signer ID="ID_SIGNER_S_3" Name="Microsoft Windows Production PCA 2011">
	<CertRoot Type="TBS" Value="4E80BE107C860DE896384B3EFF50504DC2D76AC7151DF3102A4450637A032146" />
	<CertPublisher Value="Microsoft Windows" />
	</Signer>
	<Signer ID="ID_SIGNER_S_4" Name="Microsoft Code Signing PCA">
	<CertRoot Type="TBS" Value="27543A3F7612DE2261C7228321722402F63A07DE" />
	<CertPublisher Value="Microsoft Corporation" />
	</Signer>
	<Signer ID="ID_SIGNER_S_5" Name="Microsoft Code Signing PCA 2011">
	<CertRoot Type="TBS" Value="F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E" />
	<CertPublisher Value="Microsoft Corporation" />
	</Signer>
	<Signer ID="ID_SIGNER_S_6" Name="Microsoft Windows Production PCA 2011">
	<CertRoot Type="TBS" Value="4E80BE107C860DE896384B3EFF50504DC2D76AC7151DF3102A4450637A032146" />
	<CertPublisher Value="Microsoft Windows Publisher" />
	</Signer>
	<Signer ID="ID_SIGNER_S_2" Name="Microsoft Windows Production PCA 2011">
	<CertRoot Type="TBS" Value="4E80BE107C860DE896384B3EFF50504DC2D76AC7151DF3102A4450637A032146" />
	<CertPublisher Value="Microsoft Windows" />
	</Signer>
	<Signer ID="ID_SIGNER_S_1" Name="Microsoft Code Signing PCA 2010">
	<CertRoot Type="TBS" Value="121AF4B922A74247EA49DF50DE37609CC1451A1FE06B2CB7E1E079B492BD8195" />
	</Signer>
	</Signers>
	<!--Driver Signing Scenarios-->
	<SigningScenarios>
	<SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Kernel-mode rules">
	<ProductSigners>
	<AllowedSigners>
	<AllowedSigner SignerId="ID_SIGNER_S_1" />
	<AllowedSigner SignerId="ID_SIGNER_S_2" />
	<AllowedSigner SignerId="ID_SIGNER_F_1" />
	<AllowedSigner SignerId="ID_SIGNER_F_2" />
	</AllowedSigners>
	</ProductSigners>
	</SigningScenario>
	<SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="User-mode rules">
	<ProductSigners>
	<AllowedSigners>
	<AllowedSigner SignerId="ID_SIGNER_S_3" />
	<AllowedSigner SignerId="ID_SIGNER_S_4" />
	<AllowedSigner SignerId="ID_SIGNER_S_5" />
	<AllowedSigner SignerId="ID_SIGNER_S_6" />
	</AllowedSigners>
	</ProductSigners>
	</SigningScenario>
	</SigningScenarios>
	<UpdatePolicySigners />
	<CiSigners>
	<CiSigner SignerId="ID_SIGNER_S_3" />
	<CiSigner SignerId="ID_SIGNER_S_4" />
	<CiSigner SignerId="ID_SIGNER_S_5" />
	<CiSigner SignerId="ID_SIGNER_S_6" />
	</CiSigners>
	<HvciOptions>0</HvciOptions>
	</SiPolicy>