USB connectivity policy not working on 1st connect of device

Hi,

I have an problem concerning my USB connectivity policy. My endpoint zone is blocking all USB devices. Users do have access for known USB devices (USB storage devices) I have put into another USB connectivity policy which is attached to the User objects. In general everything is working fine, unknown devices are blocked and registered devices are allowed.

But I have weird behavior when a new,unknown USB device is connected the very first time. Then Windows starts detecting it, installs the driver but does NOT deactivate them. The device is displayed and accessible through the Windows Explorer. It seems something is blocking the Endpoint agent from deactivating it. Windows Autoplay and Autorun Function already HAS BEEN disabled. No Antivirus is installed on that system.

The ZES log files contain many of these messages:
""USB-Massenspeichergerät"(USB\VID_0781