CrowdStrikeintermediate

CrowdStrike Device Control Setup: Block USB & Configure Falcon USB Blocking

Configure CrowdStrike Falcon device control to block USB drives and removable media. Step-by-step guide for USB blocking, whitelisting specific devices, and creating device control policies.

12 min readUpdated January 2025

CrowdStrike Falcon’s Device Control feature allows administrators to monitor, block, or restrict USB devices connected to endpoints. This helps prevent data exfiltration, unauthorized access, and malware infections via removable media.

This guide explains how to enable, configure, and manage Device Control policies in the CrowdStrike Falcon Console.

Step 1: Log Into the Falcon Console

  1. Open a browser and go to: https://falcon.crowdstrike.com or https://falcon.us-2.crowdstrike.com/ (Varies by tenant).
  2. Sign in using your admin credentials.

Step 2: Enable Device Control

  1. In the left-hand menu, go to Configuration > Prevention Policies.
  2. Select the policy group where you want to enable Device Control (e.g., Standard, High Security, or a Custom Policy).
  3. Click Edit Policy.
  4. Navigate to the Device Control section.
  5. Toggle Enable Device Control to ON.
  6. Click Save Policy.

πŸ“Œ Note: Once enabled, all USB activity will be logged, and restrictions will apply based on policy settings.

Step 3: Configure Device Control Rules

Option 1: Allow or Block All USB Storage Devices

  1. Click Add Rule.
  2. Select Rule Type: USB Storage Device.
  3. Choose an Action:
    • Allow – Grants full access to all USB storage devices.
    • Block – Prevents access to USB storage devices.
    • Read-Only – Allows access but prevents file modifications.
  4. Click Save Rule.

Option 2: Allow Only Specific USB Devices

  1. Click Add Rule.
  2. Select Rule Type: USB Device Vendor or Model.
  3. Enter the Vendor ID (VID) and Product ID (PID) of the approved USB device.
    • Example: SanDisk USB Drive (VID: 0781, PID: 5580).
  4. Set Action: Allow.
  5. Click Save Rule.

Option 3: Block Unauthorized USB Devices

  1. Click Add Rule.
  2. Select Rule Type: USB Device Vendor or Model.
  3. Set Action: Block.
  4. (Optional) Add a message to notify users why the device is blocked.
  5. Click Save Rule.

Step 4: Assign Device Control Policies to Endpoints

  1. Go to Hosts > Host Management.
  2. Select the endpoints where the policy should apply.
  3. Assign the prevention policy containing the Device Control rules.
  4. Click Apply Policy.

Step 5: Monitor USB Activity

  1. Navigate to Activity > Device Control in the Falcon Console.
  2. View logs of USB devices connected to endpoints.
  3. Filter by Blocked Devices to check enforcement.
  4. Adjust rules if necessary based on security requirements.

Best Practices for Device Control

βœ… Use Read-Only Mode for Approved Devices – Prevents unauthorized data modifications.
βœ… Whitelist Business-Critical USB Devices – Allow only necessary storage devices.
βœ… Regularly Review Logs – Identify unauthorized USB usage and refine policies.

Frequently Asked Questions

Find answers to common questions

To allow only specific USB devices in CrowdStrike Falcon, navigate to Configuration > Prevention Policies and select your desired policy group. Click 'Add Rule' under the Device Control section, then select 'USB Device Vendor or Model' as the Rule Type. Enter the Vendor ID (VID) and Product ID (PID) of the approved USB device, such as SanDisk USB Drive (VID: 0781, PID: 5580). Set the Action to 'Allow' and click 'Save Rule.' This ensures only the specified devices can connect, enhancing security by preventing unauthorized devices from being used.

Need Professional Help?

Our team of experts can help you implement and configure these solutions for your organization.

Contact Our TeamView Our Services

Related Articles

CrowdStrike User Roles: Create Custom Roles & Manage Permissions

Create and manage user roles in CrowdStrike Falcon with custom permissions. Step-by-step guide to configure role-based access control (RBAC), assign permissions, and restrict user access to Falcon console features.

Read More β†’

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Configure essential CrowdStrike exclusions for Microsoft Exchange Server. Protect database files, transaction logs, and processes to prevent corruption and ensure mail flow.

Read More β†’

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step-by-step guide to deploy CrowdStrike Falcon sensors using Group Policy. Silent installation, startup scripts, troubleshooting tips for AD environments.

Read More β†’
Back to CrowdStrike