Workaround: the script below will prompt you to pick a file (e.g. x:\some-secure-USB-installer.exe) then will prompt you for whatever path you want to use (which could start with ?:\ - where ? means any character i.e. any drive letter). The script will generate a temporary config, allowing you to select the new signature item from the Everyone->Allowed area, copy it, and paste it into your production config. The net result is you can make a file Allowed regardless of the drive letter assigned to your USB drive, based on hash but without causing AM to need to compare every otherwise-blocked item (including desktop.ini and other false positives) against your hash(es).
Note that you might also want a process rule granting Unrestricted status to the thing you're making Allowed - maybe - it all depends on how the thing you're unblocking behaves.
[System.Reflection.Assembly]::LoadWithPartialName("System.windows.forms") | Out-Null
$OpenFileDialog.filter = "All (*.*)| *.*"
# For dialogs
# for doing API stuff
$confHelper = new-object -comobject 'AM.ConfigurationHelper.1'
$conf = new-object -comobject
# load the default configuration
$confXml = $confHelper.DefaultConfiguration
# prompt for input file
$inputFile = Get-InputFileName
# Get the file path to use
$filePath = [Microsoft.VisualBasic.Interaction]::InputBox("Provide
a file path to use e.g. ?:\secureUSBinstaller.exe", "File path for
# Create hash rule
$as = $conf.ManufactureInstanceFromClassName('AM.SignatureFile')
# add it as an Allowed item for Everyone
$tempAampFile = [System.IO.Path]::GetTempFileName()
you might also want a process rule granting Unrestricted status to the thing you're making Allowed
That process will need to be based on a file-path-based process; creating one based on signature (hash) and setting its status to Unrestricted has no effect - or at least has no effect in making sub-processes or DLLs on the USB drive Allowed.