A Macro element defines a text substitution macro that can be used in other elements. Macros are referenced using NMAKE syntax, i.e. $(runtime.windows). Required. The Id for this macro, used in macro references. For example, if the Id for this macro is "runtime.windows", the macro would be referenced as $(runtime.windows). Required. The value that will be substituted for macro references in macro- enabled XML attributes. AppIDs may use either macros only (and be multi-valued). For example $(Adobe65)$(TestApp) ((\$\([a-zA-Z_][a-zA-Z_0-9.]*\))+) or they may be a string that does not begin with a $ and be single valued (^[^\$]([a-zA-Z0-9\-_!@#%\^\.,;:=\+~`'\{\}\(\)\[\]\$ \\])*) Collection of setting elements. Define a Signer Define a Signing Scenario type EKU ID type starts with ID_EKU_ and with reasonable length that should be less than 50 characters. Signing Scenario ID type starts with ID_SIGNGINGSCENARIO_ and with reasonable length that should be less than 100 characters. Multiple ID_SIGNINGSCENARIO_ seperated by ',' Allow Rule ID should start with ID_ALLOW_, with reasonable length that should be less than 100 characters. Generic file rule ID should start with ID_ATTRIB_, with reasonable length that should be less than 100 characters. Deny Rule ID should start with ID_DENY_, with reasonable length that should be less than 100 characters. Signer ID should start with ID_SIGNER_, with reasonable length that should be less than 100 characters. FileRulesRef is a collection of FileRuleRef Multiple ID_ALLOW_ or ID_DENY_ separated by ',' with reasonable length that should be less than 150 characters. Used to reference an file rule through rule ID A FileAttribRef is used to reference a FILE_ATTRIB rule through ID ExceptDenyRule rule is a deny rule type. It makes specific allow Signer conditional. If the allow Signer rule allows, but the exception condition met, then the result is deny. ExceptAllowRule rule is an allow rule type. It makes specific deny Signer conditional. Collection of EKUs. Define an EKU Collection of File Rules. Define a file allow rule Define a File deny rule Define a generic file attribute rule than can be combined with Signers Colletion of AllowedSigner Colletion of DeniedSigner An AllowedSigner defines a signer with condition (with exceptions) An DeniedSgner defines a deny rule defines a signer for System Integrity Policy Updating Collection of UpdatePolicySigner. defines a signer that CI will trust for CI signing levels. Collection of CiSigner. Collection of signers. A Signer Collection of SigningScenarios Define a Signing Scenario