A company has an Active Directory Domain Services (AD DS) domain. All client computers
run Windows 8.
You need to ensure that only administrators can access removable storage devices on client
computers.
Which two Group Policy settings should you configure? (Each correct answer presents part
of the solution. Choose two.)
A.
Enable the Prevent installation of removable devices policy.
B.
Disable the Allow only USB root hub connected Enhanced Storage Features policy.
C.
Create an AppLocker deny rule with a path condition of %HOT%.
D.
Start the Application Identity service.
E.
Enable the Allow administrators to override Device Installation Restriction policies policy.
Explanation:
Prevent installation of all devices.
In this scenario, the administrator wants to prevent standard users from installing any device
but allow administrators to install or update devices. To implement this scenario, you must
configure two computer policies: one that prevents all users from installing devices (A) and a
second policy to exempt administrators from the restrictions (E).
* A growing variety of external storage devices can be connected to personal computers and
servers that are running the Windows operating system. Many users now expect to be able
to install and use these devices in the office, at home, and in other locations. For
administrators, these devices pose potential security and manageability challenge.
The Group Policy settings discussed in this section can be used to limit, prevent, or enable
these situations. The default value for these policy settings is Not configured.
These policy settings are located in the following locations under Computer
Configuration\Administrative Templates\System:
/ (E) Device Installation\Device Installation Restrictions
Device Redirection\Device Redirection Restrictions
Driver Installation
Enhanced Storage Access
Removable Storage Access
Reference: Threats and Countermeasures Guide: External Storage Devices