Your company has an Active Directory domain.
All serversrun Windows Server 2008 R2.
Your company runs an Enterprise Root certification authority (CA).
Youneed to ensure that only administrators can sign code.
Which two tasksshould you perform?
(Each correct answer presents part of the solution. Choose two.)

A.
Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage Trusted
Publishers.

B.
Modify the security settings on the template to allow only administrators to request code signing certificates.

C.
Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and allow
only administrators to apply the policy.

D.
Publish the code signing template.

Explanation:
http://techblog.mirabito.net.au/?p=297
Generating and working with code signing certificates
A code signing certificate is a security measure designed to assist in the prevention of malicious code
execution. The intention is that code must be “signed” with a certificate that is trusted by the machine on which
the code is executed. The trust is verified by contacting the certification authority for the certificate, which could
be either a local (on the machine itself, such as aself-signed certificate), internal (on the domain,such as an
enterprise certification authority) or external certification authority (third party, such as Verisignor Thawte).
For an Active Directory domain with an enterprise root certification authority, the enterprise root certification
authority infrastructure is trusted by all machinesthat are a member of the Active Directory domain, and
therefore any certificates issued by this certification authority are automatically trusted.
In the case of code signing, it may be necessary also for the issued certificate to be in the “TrustedPublishers”
store of the local machine in order to avoid any prompts upon executing code, even if the certificate was issued
by a trusted certification authority. Therefore, itis required to ensure that certificates are added to this store
where user interaction is unavailable, such as running automated processes that call signed code.
A certificate can be assigned to a user or a computer, which will then be the “publisher” of the code in question.
Generally, this should be the user, and the user will then become the trusted publisher. As an example,
members of the development team in your organisation will probably each have their own code signing
certificate, which would all be added to the “Trusted Publishers” store on the domain machines. Alternatively, a
special domain account might exist specifically forsigning code, although one of the advantages of code
signing is to be able to determine the person who signed it.
…