On github there is an experimental project "Beamgun" which adds a defense layer to the Windows USB driver subsystem to block all new USB device attachments, for devices which haven't already been recognized and approved, even when the new device would not normally require a driver installation or any user interaction, e.g. devices which (claim to be) "Network adapter" or "Keyboard (HID device)", etc.
These "Evil Maid" or "Rubber Ducky" USB attacks have been demonstrated where, if a person has physical access to a computer, and the computer is on, the USB device acts like a keyboard or a network adapter or some other USB device types, which allows it to start locally trying to exploit vulnerabilities. Locked screens don't help because the device is talking directly "on the local network" or as an additional keyboard or mouse, etc. Full Disk Encryption doesn't help because the computer is already running and if the USB attack can gain any kind of access (underneath the lock screen) then the files are already accessible decrypted. (File based encryption would help, unless the attack gives the attacker a foothold which then sits and watchs and waits until the legitimate user unlocks the encrypted files).
I would like to see this "beamgun" defense added to endpoint security solutions, especially non-signature based ones like Webroot SecureAnywhere.