Based on the provided context, it is recommended to verify that the CI policy file is well-formed and successfully signed. If the policy file is not well-formed or successfully signed, the policy will not be activated, and the machine will not reboot successfully. Additionally, it is important to confirm that Code Integrity event 3099 is showing after the machine reboots, which means the new CI policy is activated. If the event is not showing, it is recommended to restart from step 1 and ensure that the CI policy file is well-formed and successfully signed before proceeding.
As for the issue with Secure Boot preventing the use of signed binaries, it is recommended to ensure that the signed binaries are properly signed using Trusted Signing and that the signing certificate is trusted by the machines. It is also important to ensure that the signed binaries are compatible with Secure Boot.
References: