timer to disable selected users USB access

Question

Hi All,

My company has around 400 to 500 users all using win10.

We have disabled USB using group policy and Intune for all users, but few of them require USB access for official reasons.

I have created a policy to exclude those few users so that they can use USB drivers on that laptop.

I am looking for a solution which enables me to revoke access for users after 3 months without any manual intervention, reason admin team can forget over the time which user have access to USB as users will be moved to different projects and they might not require access to USB.

Not in favour of buying third party tool.

Please suggest if there is a way to achieve this.

Regards,

Alex

Answer 1

Unfortunately, there isn't a built-in way in Group Policy or Intune to automatically revoke USB access after a specific period of inactivity for Windows 10.

You can also use the PowerShell command Get-ADUser -filter * -Properties "LastLogonDate" | select name, LastLogonDate to get the last logon date for all domain users.

If the difference is greater than 3 months (convert to desired timeframe in seconds), the script re-enables USB access for that user by disabling the "Do not allow mass storage devices" policy usingSet-ItemProperty.

Save the PowerShell script.

Use Task Scheduler to schedule the script to run periodically.