You are using Device Control on Symantec Endpoint Protection (SEP) for Mac to block USB devices, but they are still available briefly (for about one minute) after boot. After a minute or so, they are blocked even if already plugged in.

Apple macOS

This is by design. Device Control policies do not take effect until after SymDaemon is loaded.

If you wish, you may submit an enhancement request to our engineers. For instructions on how to do this, please see Submit a suggestion for Symantec products.