From 220283d5fa02f538985b4518109b0fffe5c3cad1 Mon Sep 17 00:00:00 2001 From: Eric StJohn Date: Wed, 8 Oct 2025 09:50:51 -0700 Subject: [PATCH 1/3] Test just CFSClean networkIsolationPolicy See https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-build/cloudbuild/security/1espt-network-isolation `CFSClean` will apply policy that blocks public package manager endpoints. `Permissive` allows everything else, but we shouldn't do this by default. Let's try being more restrictive and only add `Permissive` if we don't have more granular policies to enable. --- eng/pipelines/azure-pipelines.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/eng/pipelines/azure-pipelines.yml b/eng/pipelines/azure-pipelines.yml index 577c2ae399..886239e19c 100644 --- a/eng/pipelines/azure-pipelines.yml +++ b/eng/pipelines/azure-pipelines.yml @@ -32,7 +32,7 @@ extends: image: 1es-windows-2022 os: windows settings: - networkIsolationPolicy: Permissive,CFSClean + networkIsolationPolicy: CFSClean stages: - stage: build displayName: Build @@ -66,3 +66,4 @@ extends: enableSigningValidation: false symbolPublishingAdditionalParameters: /p:PublishToSymWeb=false /p:PublishToMSDL=false + From 3b82e6da0ae6a3580908c1562dc813806fb08120 Mon Sep 17 00:00:00 2001 From: Eric StJohn Date: Wed, 8 Oct 2025 13:32:16 -0700 Subject: [PATCH 2/3] Use Preferred networkIsolationPolicy --- eng/pipelines/azure-pipelines.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/eng/pipelines/azure-pipelines.yml b/eng/pipelines/azure-pipelines.yml index 886239e19c..d83c30100f 100644 --- a/eng/pipelines/azure-pipelines.yml +++ b/eng/pipelines/azure-pipelines.yml @@ -32,7 +32,7 @@ extends: image: 1es-windows-2022 os: windows settings: - networkIsolationPolicy: CFSClean + networkIsolationPolicy: Preferred,CFSClean stages: - stage: build displayName: Build @@ -67,3 +67,4 @@ extends: symbolPublishingAdditionalParameters: /p:PublishToSymWeb=false /p:PublishToMSDL=false + From 45a5791148d39770cfad5e7402e6c3b1ba8d3f99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20K=C3=B6plinger?= Date: Tue, 9 Jun 2026 16:18:54 +0200 Subject: [PATCH 3/3] Add CFSClean2 policy --- eng/pipelines/azure-pipelines.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/eng/pipelines/azure-pipelines.yml b/eng/pipelines/azure-pipelines.yml index d83c30100f..1bc2fe0842 100644 --- a/eng/pipelines/azure-pipelines.yml +++ b/eng/pipelines/azure-pipelines.yml @@ -32,7 +32,7 @@ extends: image: 1es-windows-2022 os: windows settings: - networkIsolationPolicy: Preferred,CFSClean + networkIsolationPolicy: Preferred,CFSClean,CFSClean2 stages: - stage: build displayName: Build @@ -65,6 +65,3 @@ extends: enableSourceLinkValidation: false enableSigningValidation: false symbolPublishingAdditionalParameters: /p:PublishToSymWeb=false /p:PublishToMSDL=false - - -