We have found this to be an issue with ADATA UV150 USB3.2 flash drives.
They ship with the "bootable" flag marked on the partition. (And I'm sure many other brands are doing the same)
Our workaround is to using a Linux machine's fdisk to toggle the flag off ("a", "w"); as our users have no privileges to do this.
It takes about 3 seconds.
Why can windows not have a GPO policy/override specific for this use case (removable device with bootable flag on partition)?
Or possibly a warning that the only partition is marked as bootable (and leave it to the user to decide rather than force disabled?)