From 9990f79db07507037ad6f972e00188702644125c Mon Sep 17 00:00:00 2001
From: Ray Chen <raychen@microsoft.com>
Date: Wed, 20 May 2026 11:59:18 -0700
Subject: [PATCH 1/3] Added NI policies explicitly

---
 eng/pipelines/templates/stages/1es-redirect.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/pipelines/templates/stages/1es-redirect.yml b/eng/pipelines/templates/stages/1es-redirect.yml
index e4c2c71342cd..da3b0d6db26f 100644
--- a/eng/pipelines/templates/stages/1es-redirect.yml
+++ b/eng/pipelines/templates/stages/1es-redirect.yml
@@ -42,7 +42,7 @@ extends:
       skipBuildTagsForGitHubPullRequests: true
       # Set network isolation policy to Preferred to allow access to common public services like GitHub, NuGet, Maven Central, etc.
       # https://eng.ms/docs/coreai/devdiv/one-engineering-system-1es/1es-build/cloudbuild/security/1espt-network-isolation#shared-policies-for-common-use-cases
-      networkIsolationPolicy: Permissive
+      networkIsolationPolicy: Permissive, CFSClean, CFSClean2
     sdl:
       ${{ if and(eq(variables['Build.DefinitionName'], 'java - core'), eq(variables['Build.SourceBranchName'], 'main'), eq(variables['System.TeamProject'], 'internal')) }}:
         autobaseline:

From 73894b1364c6767a14e34240d8f78a53d77e7a25 Mon Sep 17 00:00:00 2001
From: Ray Chen <raychen@microsoft.com>
Date: Fri, 29 May 2026 13:33:02 -0700
Subject: [PATCH 2/3] Set CFSClean policy only

---
 eng/pipelines/templates/stages/1es-redirect.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/pipelines/templates/stages/1es-redirect.yml b/eng/pipelines/templates/stages/1es-redirect.yml
index da3b0d6db26f..3431292ce576 100644
--- a/eng/pipelines/templates/stages/1es-redirect.yml
+++ b/eng/pipelines/templates/stages/1es-redirect.yml
@@ -42,7 +42,7 @@ extends:
       skipBuildTagsForGitHubPullRequests: true
       # Set network isolation policy to Preferred to allow access to common public services like GitHub, NuGet, Maven Central, etc.
       # https://eng.ms/docs/coreai/devdiv/one-engineering-system-1es/1es-build/cloudbuild/security/1espt-network-isolation#shared-policies-for-common-use-cases
-      networkIsolationPolicy: Permissive, CFSClean, CFSClean2
+      networkIsolationPolicy: Permissive, CFSClean
     sdl:
       ${{ if and(eq(variables['Build.DefinitionName'], 'java - core'), eq(variables['Build.SourceBranchName'], 'main'), eq(variables['System.TeamProject'], 'internal')) }}:
         autobaseline:

From 3e6c3638edc1c0895f0ac9149844714713409a0b Mon Sep 17 00:00:00 2001
From: Ray Chen <raychen@microsoft.com>
Date: Fri, 29 May 2026 14:21:17 -0700
Subject: [PATCH 3/3] Updated comment

---
 eng/pipelines/templates/stages/1es-redirect.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/pipelines/templates/stages/1es-redirect.yml b/eng/pipelines/templates/stages/1es-redirect.yml
index 3431292ce576..72b90fc2eb09 100644
--- a/eng/pipelines/templates/stages/1es-redirect.yml
+++ b/eng/pipelines/templates/stages/1es-redirect.yml
@@ -40,7 +40,7 @@ extends:
         - 1ES.PT.Tag-refs/tags/canary
     settings:
       skipBuildTagsForGitHubPullRequests: true
-      # Set network isolation policy to Preferred to allow access to common public services like GitHub, NuGet, Maven Central, etc.
+      # Set network isolation policy to Permissive, CFSClean which our pipeline are currently compliant with.
       # https://eng.ms/docs/coreai/devdiv/one-engineering-system-1es/1es-build/cloudbuild/security/1espt-network-isolation#shared-policies-for-common-use-cases
       networkIsolationPolicy: Permissive, CFSClean
     sdl: