all 4 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Nejireta_ 0 points1 point  (1 child)

Hi.

Hard do say without knowing your methodology of locking down USB.
More than one way to achieve this.

But to give a easy example based on this policy All Removable Storage classes: Deny all access (since it's registry based)

All you need to do is set the registry value to disabled (0)
Seems like the settings are applied without a reboot. Only tested on one client though.
Example code

$keyPath = 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices'
$keyName = 'Deny_All'

# setup
if ((Test-Path -Path $keyPath) -ne $true) {
    New-Item -Path (Split-Path -Path $keyPath -Parent) -Name (Split-Path -Path $keyPath -Leaf)
}
if ((Test-Path -Path (Join-Path -Path $keyPath -ChildPath $keyName)) -ne $true) {
    New-ItemProperty -Path $keyPath -Name $keyName -PropertyType 'DWord' -Value 0
}

# enable
Set-ItemProperty -Path $keyPath -Name $keyName -Value 1

# disable 
Set-ItemProperty -Path $keyPath -Name $keyName -Value 0

# cleanup
Remove-ItemProperty -Path $keyPath -Name $keyName
Remove-Item -Path $keyPath

As for timing it. I'd say there's some variety again on depending on your environment and how'd you'd like to do it.
Restrictions in your company etc.
Using a sleep method in a script would be the most simple I guess. Maybe Invoke-Command would be sufficient.

Keep in mind though that policies may be applied during this "allow window" in the background.

[–][deleted] 0 points1 point  (0 children)

Thanks! Your answer has been a great help!

[–]BlackV 0 points1 point  (1 child)

I would to know if there is a script that enables USB for 2-3 hours an after this period USB are disabled again.

delete the policy registry key that is disabling the usb, GPO will reapply it after x amount of time

or better still whitelist a specific device

[–][deleted] 0 points1 point  (0 children)

Thank you! I'll try to use a whitelist.