Win10 hardening GPO support for secure desktops

Hello all, long time lurker first time poster on the forums, hopefully this is the correct place to post this. Working on some hardening settings for Win10 desktop machines in a SCIF environment for a client, there's 2 settings I've been wrestling with and haven't found a workaround. They are:

1. Disabling microphone jack/port

2. Allow privileged users only write access to CD/DVD and prevent everyone else.

In group policy preferences not seeing anything for microphone under control panel\devices, there's a policy to disable sound completely and registry hack to disable headphones but nothing for mic. The only option i see is disabling microphone in the BIOS, but that would require altering the image as i don't think BIOS settings can be managed by GPO. As for allowing only privilege users to write to CD/DVD, the only foreseeable option i know of is first setting up a GPO to block CD/DVD access completely, then creating a second "exceptions" GPO to allow this setting and do a security filter to only select privileged users or a security group of users. But this will require two policies for just one setting which i would like to avoid. Thank you in advance for the help

You can disable a specific audio input in Input/Output section (top of the tree) in Device Manager, then deny access to Device Manager to the users you want. For DVD I remember Nero Burnrights that you could do that. I think you can download it as a separate application from Nero, but this is for restricting access to Nero Burning ROM. I am not sure you can do it for all applications, unless there is a third party utility to do just that. I have seen utilities to restrict access to USB devices etc, there might be one to control access to DVD.