For Symantec Endpoint Protection, Application and Device Control is setup to block specific device ID's or Class ID's and the device is still being allowed, even though the rule is in place.

Windows 10

Device Control checks whether the Operating System will allow the device to be disabled. Device Control uses Windows API to disable devices.  In the below screenshot, the keyboard cannot be disabled. Even though there is matching block rule, Device Control will not attempt to disable the device as the Operating System does not permit it. This is by design.

In order to verify if a device can be disabled Verify the properties of the device in Device Manager, under the Details tab, Propery Status, and ensure DN_DISABLEABLE, is there.

This is as design, There are certain devices that Windows will not allow us to disable.