Endpoint Protection

I'm starting to experiment with Application and Device Control.

My first question:
Do I have to have a certain part of SEP installed in order to utilize App and Dev Control (such as Proactive Threat Detection or Network Threat Protection)?

My next question:
Can someone explain to me how the priority works and/or send me to a link that explains it?

My next question:
Is there a way to track what computers/users are plugging in external devices (thumbdrives, hard drives, floppy drives, etc..)?

My last question/problem:
I'm experimenting with three different rule sets that I have grouped together under one policy and they are as follows:
Application Control (this is also the priority order as I have it in my SEPM).
Make all removable drives read-only
Block programs from running from removable drives
Block Access to Autorun.inf

I don't have anything for device control

As for what those rule sets do, the name is pretty self-explanatory.

So I created a test group, put a couple PCs in there and assigned this policy to it.

To experiment I put an autorun file on my thumbdrive, plugged it in and it came up. I selected to run the executable on the drive and it ran. I was also able to write to the thumbdrive. I'm wondering what I'm doing wrong. What I expected to happen was for nothing to pop up and when I did try to launch the executable for it to deny that ability. I also expected that when I went to edit a file on the drive it wouldn't let me save it. All tests failed. Wondering what I'm doing wrong.

I'm running my SEP Managers and Clients on MR4 MP1. I also have Antivirus/Antispyware and Network Threat Protection with Intrusion Prevention installed on my endpoints.

The ver first  reason fior it to fail is the you do not have Proactive Threat Protection installed.

Application and device control
Application and device control is part of Proactive Threat Protection however Network threat protection needs to be install for Application and device control t owork.

Priority
I am not sure which Priority you are asking about is it the MSL or anything related to Application or Device control.

You can create Scheduled Reports as well as Notifications for Application and Device control.

Block Autorun.inf.
It is good you are using Application and Device Control to block Autoruns.inf.
However what I would suggest it disable it through Group Policy so it is even Organization wide.

AD Users and Computers
In the Group Policy mmc. On left panel:
Double-click Computer Configuration to open submenu
Double-click Administrative Templates to open submenu
Double-click System to open submenu
Double-click Turn autoplay off option which will be near the bottom of the list in the right panel.
The default is the Not configured . Set it to Enabled.

Yes I agree with this solution.

Absolutely. I love the app and device control!
I can tell when folks are attempting to use USB drives, can log files accessed or copied to such drives, can block certain types, allow others.
If you block say one vendor of drive, but want to allow a certain model from that vendor, the allow takes precedence - in other words, if you block ALL USB drives, but allow brand xxx, then brand xxx can work, all others won't.
Allow comes first, sort of a safety thing. 

You can block ALL USB devices, but allow mice, keyboards, etc., too. 

Here is an email I got when someone attempted a certain blocked USB device:

Message from:
Server name: VRDSMSEP1
Server IP: 165.123.456.010

Found more than 1 security events. Actual number of security events found was 7 in 1 minutes.
Security events included:
Compliance,
Device Manager.

See attached report for more details.

------------------------------------------------- below is the report that was attached--------------------------
Event Time Event Type
Severity
Number Domain
Server
Group Computer
IP Address
Operating System Client User Name
Location Application Name Event Description
04/21/2009 16:25:24 Device control disabled device
Major
1 IVRS-SEP1
VRDSMSEP2
My Company\Client Computers\Desktop VR003HP36C91D52
10.252.3.9
Windows XP Professional Elizabeth.Vaxxxxx
Default Device Manager Message The device was disabled successfully. [name]:Generic volume [class]:Storage volumes [guid]:71a27cdd-812a-11d0-bec7-08002be2092f [deviceID]:STORAGE\REMOVABLEMEDIA\7&4D0BF91&0&RM

04/21/2009 16:25:24 Device control disabled device
Major
1 IVRS-SEP1
VRDSMSEP2
My Company\Client Computers\Desktop VR003HP36C91D52
10.252.3.9
Windows XP Professional Elizabeth.Vaxxxxx 
Default Device Manager Message The device was disabled successfully. [name]:USB2.0 Flash Disk USB Device [class]:Disk drives [guid]:(null) [deviceID]:USBSTOR\DISK&VEN_USB2.0&PROD_FLASH_DISK&REV_5.00\0221100015429012&0

04/21/2009 16:25:24 Device control disabled device
Major
1 IVRS-SEP1
VRDSMSEP2
My Company\Client Computers\Desktop VR003HP36C91D52
10.252.3.9
Windows XP Professional Elizabeth.Vaxxxxx 
Default Device Manager Message The device was disabled successfully. [name]:USB2.0 Flash Disk USB Device [class]:Disk drives [guid]:(null) [deviceID]:USBSTOR\DISK&VEN_USB2.0&PROD_FLASH_DISK&REV_5.00\0221100015429012&0

04/21/2009 16:25:19 Device control disabled device
Major
1 IVRS-SEP1
VRDSMSEP2
My Company\Client Computers\Desktop VR003HP36C91D52
10.252.3.9
Windows XP Professional Elizabeth.Vaxxxxx 
Default Device Manager Message The device was disabled successfully. [name]:USB2.0 Flash Disk USB Device [class]:Disk drives [guid]:(null) [deviceID]:USBSTOR\DISK&VEN_USB2.0&PROD_FLASH_DISK&REV_5.00\0221100015429012&0

04/21/2009 16:25:19 Device control disabled device
Major
1 IVRS-SEP1
VRDSMSEP2
My Company\Client Computers\Desktop VR003HP36C91D52
10.252.3.9
Windows XP Professional Elizabeth.Vaxxxxx 
Default Device Manager Message The device was disabled successfully. [name]:USB2.0 Flash Disk USB Device [class]:Disk drives [guid]:(null) [deviceID]:USBSTOR\DISK&VEN_USB2.0&PROD_FLASH_DISK&REV_5.00\0221100015429012&0

04/21/2009 16:25:19 Device control disabled device
Major
1 IVRS-SEP1
VRDSMSEP2
My Company\Client Computers\Desktop VR003HP36C91D52
10.252.3.9
Windows XP Professional Elizabeth.Vaxxxxx 
Default Device Manager Message The device was disabled successfully. [name]:USB2.0 Flash Disk USB Device [class]:Disk drives [guid]:(null) [deviceID]:USBSTOR\DISK&VEN_USB2.0&PROD_FLASH_DISK&REV_5.00\0221100015429012&0

04/21/2009 16:25:13 Device control disabled device
Major
1 IVRS-SEP1
VRDSMSEP2
My Company\Client Computers\Desktop VR003HP36C91D52
10.252.3.9
Windows XP Professional Elizabeth.Vaxxxxx 
Default Device Manager Message The device was disabled successfully. [name]:Unknown Device [class]:Other devices [guid]:4d36e97e-e325-11ce-bfc1-08002be10318 [deviceID]:STORAGE\REMOVABLEMEDIA\7&4D0BF91&0&RM

@shadowpapa : I totally agree. We have tested several scenarios

1. Log USB detection
2. Log copying to/from Removable media
3. Run *.exe from USB Removable media

We have managed to test everyone of it. We have also tested exclusion so that we can allow certain fingerprints. We have also changed names of exe files and have noticed that fingerprint gets detected inspite of name change of files. 

I am already testing ot rolling out this for all employees along with process flows for treating exclusions