I currenty administer Endpoint protection for a small company. I've encountered a difficulty in that some users are prohibited from using a 2nd monitor on their desktops because some PC's now only provide for such accessories via USB (such as HP 19-2114 All-in-One Desktop PC). There is not other means of connecting a secondary monitor.
One solution would be a built-in device check, prohibiting only those devices identified as storage devices. This would allow for legitimate usb uses.