How to setup CrowdStrike Device Control

10 February 11, 2025

CrowdStrike Falcon’s Device Control feature allows administrators to monitor, block, or restrict USB devices connected to endpoints. This helps prevent data exfiltration, unauthorized access, and malware infections via removable media.

This guide explains how to enable, configure, and manage Device Control policies in the CrowdStrike Falcon Console.

Step 1: Log Into the Falcon Console

  1. Open a browser and go to https://falcon.crowdstrike.com.
  2. Sign in using your admin credentials.

Step 2: Enable Device Control

  1. In the left-hand menu, go to Configuration > Prevention Policies.
  2. Select the policy group where you want to enable Device Control (e.g., Standard, High Security, or a Custom Policy).
  3. Click Edit Policy.
  4. Navigate to the Device Control section.
  5. Toggle Enable Device Control to ON.
  6. Click Save Policy.

📌 Note: Once enabled, all USB activity will be logged, and restrictions will apply based on policy settings.

Step 3: Configure Device Control Rules

Option 1: Allow or Block All USB Storage Devices

  1. Click Add Rule.
  2. Select Rule Type: USB Storage Device.
  3. Choose an Action:
    • Allow – Grants full access to all USB storage devices.
    • Block – Prevents access to USB storage devices.
    • Read-Only – Allows access but prevents file modifications.
  4. Click Save Rule.

Option 2: Allow Only Specific USB Devices

  1. Click Add Rule.
  2. Select Rule Type: USB Device Vendor or Model.
  3. Enter the Vendor ID (VID) and Product ID (PID) of the approved USB device.
    • Example: SanDisk USB Drive (VID: 0781, PID: 5580).
  4. Set Action: Allow.
  5. Click Save Rule.

Option 3: Block Unauthorized USB Devices

  1. Click Add Rule.
  2. Select Rule Type: USB Device Vendor or Model.
  3. Set Action: Block.
  4. (Optional) Add a message to notify users why the device is blocked.
  5. Click Save Rule.

Step 4: Assign Device Control Policies to Endpoints

  1. Go to Hosts > Host Management.
  2. Select the endpoints where the policy should apply.
  3. Assign the prevention policy containing the Device Control rules.
  4. Click Apply Policy.

Step 5: Monitor USB Activity

  1. Navigate to Activity > Device Control in the Falcon Console.
  2. View logs of USB devices connected to endpoints.
  3. Filter by Blocked Devices to check enforcement.
  4. Adjust rules if necessary based on security requirements.

Best Practices for Device Control

Use Read-Only Mode for Approved Devices – Prevents unauthorized data modifications.
Whitelist Business-Critical USB Devices – Allow only necessary storage devices.
Regularly Review Logs – Identify unauthorized USB usage and refine policies.