Features

What PermitUSB does today, by area. It's a USB device control platform for Windows endpoints: block-by-default whitelisting with a cloud control plane.

Enforcement

• Block-by-default whitelisting on USB devices
• User-mode enforcement via the Windows Configuration Manager APIs
• Match on vendor/product (VID/PID), serial, device group, vendor name, or device class
• Allow, block, read-only (mass storage), and audit actions
• Built-in HID-class guardrails
• HID-injection detection - flags rapid keystroke injection (BadUSB / Rubber Ducky) by typing rate, prompts the user, and raises a security event if declined

Cloud management

• Multi-tenant dashboard with per-tenant data isolation
• Email/password sign-in with TOTP multi-factor authentication
• Role-based access: owner, admin, operator, auditor
• User invitations
• Endpoint groups with per-group policies
• Per-group discovery mode for risk-free rollout (default 14 days)

Operations

• Tray app with a toast on every block
• Service ACL self-protection
• Watchdog that re-disables a manually re-enabled blocked device
• Stale-policy fail-closed when an endpoint loses cloud connectivity
• Tamper event reporting

Deployment

• EV code-signed MSI installer
• One-line PowerShell install from the dashboard
• Group Policy and Microsoft Intune deployment guides

Billing and lifecycle

• Stripe Checkout and Customer Portal
• 14-day no-card trial
• Trial expiry with a 30-day grace period

Compliance and observability

• Admin audit log
• Event export to CSV and JSON
• SIEM forwarding in CEF (Common Event Format) - the agent writes device and security events to the Windows event log, and an on-prem relay for Windows or Linux pulls them to your syslog SIEM (NeQter, rsyslog, QRadar, and the like)
• NIST 800-171 control mapping
• Email and webhook alerts