Maybe look at a removable device management tool integrated into an Endpoint solution...that way you are constantly using managing the tool
Sophos Endpoint does this
https://www.sophos.com/en-us/support/knowledgebase/64174.aspx
Obviously plenty of others out there but don't go posting a question on here about AV vendors unless you want a 'face palm' outbreak;-)