Microsoft has unveiled two critical security enhancements for Windows 365 Cloud PCs, embedding advanced protections by default to combat data exfiltration and kernel-level exploits.
These changes—disabling high-risk redirections and enabling virtualization-based security features—reflect Microsoft Secure Future Initiative (SFI) commitment to “security by default.”
The updates target newly provisioned and reprovisioned Cloud PCs, minimizing manual configuration needs while strengthening enterprise defense postures against evolving cyberthreats.
Clipboard, drive, USB, and printer redirections will now be disabled by default for all newly provisioned or reprovisioned Windows 365 Cloud PCs.
This change, rolling out in late 2025, prevents unauthorized data transfers between physical devices and Cloud PCs—a common vector for malware injections and credential theft.
USB exceptions include mice, keyboards, and webcams, which operate via high-level redirection and remain unaffected.
IT admins will see notification banners in Microsoft Intune Admin Center, with documentation guiding policy overrides via Intune device configuration or Group Policy Objects (GPOs).
Crucially, Azure Virtual Desktop host pools inherit these defaults, extending security standardization across Microsoft’s cloud ecosystem.
For Frontline Cloud PCs in shared mode, reprovisioning must initiate from provisioning policies—not device overview pages—to apply the new settings.
Workflow Implications
Organizations requiring re-enabled redirections must deploy Intune Settings Catalog policies or GPOs post-provisioning, as sync processes will override defaults.
Microsoft recommends leveraging Intune’s “All devices” group and filters for rapid policy deployment, alongside user communication about workflow impacts (e.g., blocked file transfers via clipboard).
Reprovisioning exceptions exist: Existing Frontline devices retain legacy redirection settings unless reprovisioned via policy pages, where admins must schedule implementations post-rollout.
This tiered approach balances security hardening with operational flexibility, though Microsoft emphasizes proactive user training to mitigate productivity disruptions.
Virtualization-Based Security Activations
According to Report, all new/reprovisioned Windows 11 Cloud PCs enable three virtualization-based defenses by default: Virtualization-Based Security (VBS), Credential Guard, and Hypervisor-Protected Code Integrity (HVCI).
VBS creates hardware-isolated memory enclaves to shield system processes; Credential Guard locks authentication secrets against lateral movement attacks; HVCI enforces kernel-mode code signing to block unverified executions.
These features—visible via Windows System Information—collectively harden against credential theft and zero-day exploits without admin intervention.
Documentation confirms VBS underpins both Credential Guard and HVCI, creating a layered security architecture optimized for cloud environments.
These updates signify Microsoft’s shift toward automated, hardware-enforced security in cloud workspaces.
By standardizing critical protections, Windows 365 reduces configuration gaps while aligning with SFI’s principle of “secure by design.” Enterprises should audit redirection dependencies and prepare policy adjustments ahead of the late-2025 rollout.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
