CrowdStrike Device Control Setup: Block USB, Find Device IDs & Configure Policies

CrowdStrike Falcon's **Device Control** feature allows administrators to **monitor, block, or restrict USB devices** connected to endpoints. This helps prevent **data exfiltration, unauthorized access, and malware infections** via removable media.

This guide explains how to **enable, configure, and manage Device Control policies** in the CrowdStrike Falcon Console.

Finding USB Vendor ID (VID) and Product ID (PID)

Before configuring device rules, you need to identify the Vendor ID (VID) and Product ID (PID) of USB devices you want to allow or block.

Windows: Using Device Manager

1. Connect the USB device to a Windows endpoint
2. Open Device Manager (Win+X > Device Manager)
3. Expand Universal Serial Bus controllers or Disk drives
4. Right-click the USB device > Properties
5. Go to the Details tab
6. Select Hardware Ids from the dropdown
7. Look for the format: USB\VID_XXXX&PID_YYYY
   • Example: USB\VID_0781&PID_5580 = VID: 0781, PID: 5580

Windows: Using PowerShell

# List all USB devices with VID and PID
Get-PnpDevice -Class USB | ForEach-Object {
    $props = Get-PnpDeviceProperty -InstanceId $_.InstanceId
    $hwid = ($props | Where-Object KeyName -eq 'DEVPKEY_Device_HardwareIds').Data
    [PSCustomObject]@{
        Name = $_.FriendlyName
        HardwareId = $hwid -join "`n"
    }
} | Where-Object { $_.HardwareId -match 'VID_' }

macOS: Using System Information

1. Connect the USB device
2. Click Apple menu > About This Mac > System Report
3. Select USB in the left sidebar
4. Click on the device to view details
5. Look for Vendor ID and Product ID

Linux: Using lsusb

# List all USB devices with VID:PID
lsusb

# Example output:
# Bus 002 Device 003: ID 0781:5580 SanDisk Corp. Extreme Portable SSD
#                        ^^^^:^^^^ = VID:PID

Common Corporate Device IDs

Use this reference table for frequently whitelisted corporate devices:

Note: PIDs vary by specific model. Always verify the exact VID/PID of your organization's devices before creating rules.

Step 1: Log Into the Falcon Console

- Open a browser and go to: [https://falcon.crowdstrike.com](https://falcon.crowdstrike.com/) or [https://falcon.us-2.crowdstrike.com/](https://falcon.us-2.crowdstrike.com/) (Varies by tenant). - Sign in using your **admin credentials**.

Step 2: Enable Device Control

- In the **left-hand menu**, go to **Configuration** > **Prevention Policies**. - Select the **policy group** where you want to enable Device Control (e.g., **Standard, High Security, or a Custom Policy**). - Click **Edit Policy**. - Navigate to the **Device Control** section. - Toggle **Enable Device Control** to **ON**. - Click **Save Policy**.

📌 **Note:** Once enabled, all USB activity will be logged, and restrictions will apply based on policy settings.

Step 3: Configure Device Control Rules

Option 1: Allow or Block All USB Storage Devices

- Click **Add Rule**. - Select **Rule Type: USB Storage Device**. - Choose an **Action**:

• Allow – Grants full access to all USB storage devices.

• Block – Prevents access to USB storage devices.

• Read-Only – Allows access but prevents file modifications.

• Click Save Rule.

Option 2: Allow Only Specific USB Devices

- Click **Add Rule**. - Select **Rule Type: USB Device Vendor or Model**. - Enter the **Vendor ID (VID)** and **Product ID (PID)** of the approved USB device.

• Example: SanDisk USB Drive (VID: 0781, PID: 5580).

• Set Action: Allow.

• Click Save Rule.

Option 3: Block Unauthorized USB Devices

- Click **Add Rule**. - Select **Rule Type: USB Device Vendor or Model**. - Set **Action: Block**. - (Optional) Add a **message** to notify users why the device is blocked. - Click **Save Rule**.

Step 4: Assign Device Control Policies to Endpoints

- Go to **Hosts** > **Host Management**. - Select the endpoints where the policy should apply. - Assign the **prevention policy** containing the Device Control rules. - Click **Apply Policy**.

Step 5: Monitor USB Activity

- Navigate to **Activity** > **Device Control** in the Falcon Console. - View logs of **USB devices connected to endpoints**. - Filter by **Blocked Devices** to check enforcement. - Adjust rules if necessary based on security requirements.

Troubleshooting Device Control

Previously Allowed Device Now Blocked

If a USB device that was previously allowed is now being blocked:

1. Check if firmware updated the VID/PID: Some devices change their hardware ID after firmware updates

   • Re-identify the device using Device Manager or PowerShell
   • Update the exclusion rule with the new VID/PID

2. Verify the rule still exists: Navigate to Prevention Policies > Device Control and confirm the Allow rule is present

3. Check for policy conflicts: If multiple policies apply, the most restrictive rule wins

Can't Find Device in Device Manager

If the USB device doesn't appear in Device Manager:

1. Try a different USB port (preferably directly on the computer, not a hub)
2. Check if the device requires drivers - install manufacturer drivers first
3. Look under "Other devices" for unrecognized hardware
4. Use devmgmt.msc from Run dialog if Device Manager won't open normally

Block Rules Not Taking Effect

If devices continue to work despite Block rules:

1. Wait for policy sync: Allow 5-10 minutes for policy propagation
2. Verify sensor version: Device Control requires recent sensor versions
3. Check host group assignment: Ensure the endpoint is in the correct host group
4. Disconnect and reconnect: The device may need to be unplugged and reconnected

Identifying Unknown USB Devices

When a blocked device has no friendly name in logs:

# Windows: Look up VID in registry
$vid = "0781"  # Replace with your VID
Get-ChildItem "HKLM:\SYSTEM\CurrentControlSet\Enum\USB" |
    Where-Object { $_.Name -match $vid }

Or use online VID/PID lookup databases:

• USB ID Database
• Device Hunt

Deployment Checklist

Pre-Deployment

• Identify all business-critical USB devices (storage, printers, security keys)
• Collect VID/PID for approved devices
• Document current USB usage patterns (review Device Control logs in monitoring mode first)
• Prepare user communication template
• Define pilot group for initial rollout

Pilot Rollout (Week 1)

• Create Device Control policy in Monitor Only mode
• Apply to pilot group (10-20 users)
• Review logs daily for unexpected blocks
• Add Allow rules for legitimate devices discovered
• Gather feedback from pilot users

Production Rollout (Week 2+)

• Switch pilot group to Enforcement mode
• Monitor for support tickets related to USB blocking
• Refine rules based on feedback
• Gradually expand to additional host groups
• Document all approved device exceptions

Post-Deployment

• Schedule quarterly USB policy reviews
• Create process for requesting new device exceptions
• Monitor for new device types being blocked
• Update documentation as policies change

Best Practices for Device Control

✅ **Use Read-Only Mode for Approved Devices** – Prevents unauthorized data modifications.
✅ **Whitelist Business-Critical USB Devices** – Allow only necessary storage devices.
✅ **Regularly Review Logs** – Identify unauthorized USB usage and refine policies.
✅ **Start with Monitor Mode** – Observe USB usage before enforcing blocks.
✅ **Document All Exceptions** – Maintain a registry of approved VID/PIDs with business justification.

Related Guides

• Creating and Managing User Roles - Permissions required for Device Control management
• How to Setup Prevention Policies - Prevention policy configuration
• CrowdStrike Exclusions for SQL Server - Process and file exclusions