CrowdStrikeintermediate

4 min read

title: CrowdStrike Device Control Setup: Block USB & Configure Falcon USB Blocking description: Configure CrowdStrike Falcon device control to block USB drives and removable media. Step-by-step guide for USB blocking, whitelisting specific devices, and creating device control policies. difficulty: intermediate estimatedReadTime: 12 lastUpdated: January 2025 featured: false faqItems:

  • question: How can I configure Device Control to allow only specific USB devices? answer: >- To allow only specific USB devices in CrowdStrike Falcon, navigate to Configuration > Prevention Policies and select your desired policy group. Click 'Add Rule' under the Device Control section, then select 'USB Device Vendor or Model' as the Rule Type. Enter the Vendor ID (VID) and Product ID (PID) of the approved USB device, such as SanDisk USB Drive (VID: 0781, PID: 5580). Set the Action to 'Allow' and click 'Save Rule.' This ensures only the specified devices can connect, enhancing security by preventing unauthorized devices from being used.
  • question: What should I do if legitimate USB devices are being blocked? answer: >- If legitimate USB devices are being blocked by CrowdStrike Device Control, review the Device Control logs via Activity > Device Control in the Falcon Console. Check the details of blocked devices to identify their Vendor ID (VID) and Product ID (PID). If the device is legitimate, create an Allow rule for it by following the steps outlined in the article, using the correct VID and PID. Regularly reviewing logs will help refine your policies and ensure necessary devices are not hindered, while maintaining overall security.
  • question: What are the best practices for managing USB device policies? answer: >- Best practices for managing USB device policies in CrowdStrike Falcon include using Read-Only mode for approved devices to prevent unauthorized data modifications, and whitelisting only business-critical USB devices, thus minimizing the risk of data exfiltration. Regularly review logs to identify unauthorized USB usage and refine your policies accordingly. Additionally, consider implementing user notifications for blocked devices to improve transparency and compliance within your organization. These practices help balance security needs with operational efficiency. heroImage: "https://images.unsplash.com/photo-1544616350-b3f0d32c97c2?w=1200&h=630&fit=crop"

CrowdStrike Falcon’s Device Control feature allows administrators to monitor, block, or restrict USB devices connected to endpoints. This helps prevent data exfiltration, unauthorized access, and malware infections via removable media.

This guide explains how to enable, configure, and manage Device Control policies in the CrowdStrike Falcon Console.

Step 1: Log Into the Falcon Console

  1. Open a browser and go to: https://falcon.crowdstrike.com or https://falcon.us-2.crowdstrike.com/ (Varies by tenant).
  2. Sign in using your admin credentials.

Step 2: Enable Device Control

  1. In the left-hand menu, go to Configuration > Prevention Policies.
  2. Select the policy group where you want to enable Device Control (e.g., Standard, High Security, or a Custom Policy).
  3. Click Edit Policy.
  4. Navigate to the Device Control section.
  5. Toggle Enable Device Control to ON.
  6. Click Save Policy.

πŸ“Œ Note: Once enabled, all USB activity will be logged, and restrictions will apply based on policy settings.

Step 3: Configure Device Control Rules

Option 1: Allow or Block All USB Storage Devices

  1. Click Add Rule.
  2. Select Rule Type: USB Storage Device.
  3. Choose an Action:
    • Allow – Grants full access to all USB storage devices.
    • Block – Prevents access to USB storage devices.
    • Read-Only – Allows access but prevents file modifications.
  4. Click Save Rule.

Option 2: Allow Only Specific USB Devices

  1. Click Add Rule.
  2. Select Rule Type: USB Device Vendor or Model.
  3. Enter the Vendor ID (VID) and Product ID (PID) of the approved USB device.
    • Example: SanDisk USB Drive (VID: 0781, PID: 5580).
  4. Set Action: Allow.
  5. Click Save Rule.

Option 3: Block Unauthorized USB Devices

  1. Click Add Rule.
  2. Select Rule Type: USB Device Vendor or Model.
  3. Set Action: Block.
  4. (Optional) Add a message to notify users why the device is blocked.
  5. Click Save Rule.

Step 4: Assign Device Control Policies to Endpoints

  1. Go to Hosts > Host Management.
  2. Select the endpoints where the policy should apply.
  3. Assign the prevention policy containing the Device Control rules.
  4. Click Apply Policy.

Step 5: Monitor USB Activity

  1. Navigate to Activity > Device Control in the Falcon Console.
  2. View logs of USB devices connected to endpoints.
  3. Filter by Blocked Devices to check enforcement.
  4. Adjust rules if necessary based on security requirements.

Best Practices for Device Control

βœ… Use Read-Only Mode for Approved Devices – Prevents unauthorized data modifications.
βœ… Whitelist Business-Critical USB Devices – Allow only necessary storage devices.
βœ… Regularly Review Logs – Identify unauthorized USB usage and refine policies.

Need Professional Help?

Our team of experts can help you implement and configure these solutions for your organization.

Contact Our TeamView Our Services

Related Articles

Read More β†’

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Configure essential CrowdStrike exclusions for Microsoft Exchange Server. Protect database files, transaction logs, and processes to prevent corruption and ensure mail flow.

Read More β†’

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step-by-step guide to deploy CrowdStrike Falcon sensors using Group Policy. Silent installation, startup scripts, troubleshooting tips for AD environments.

Read More β†’
Back to CrowdStrike