Microsoft has announced new Windows 365 security defaults starting in the second half of 2025 and affecting newly provisioned and reprovisioned Cloud PCs.
The company said these changes include disabling the clipboard, drive, USB, and printer redirections by default to block users from copying files between Cloud PCs and physical devices through clipboard functions to reduce risks of data theft and block malware attacks.
However, while USB redirections will be disabled by default, they only target low-level device access, which means that USB mice, keyboards, and webcams will not be affected since they're managed through high-level redirection. These new security defaults will also be applied to newly created host pools for Azure Virtual Desktop.
Starting last month, Microsoft has also enabled virtualization-based security, Credential Guard, and hypervisor-protected code integrity (HVCI) by default on Windows 365 Cloud PCs running Windows 11 gallery images to create secure memory enclaves and prevent malicious code execution at the kernel level.
"Windows 365 is enhancing Cloud PC security by having clipboard, drive, USB, and printer redirections disabled by default for all newly provisioned and reprovisioned Cloud PCs," Microsoft said.
"Since May 2025, all newly provisioned and reprovisioned Windows 365 Cloud PCs running a Windows 11 gallery image have VBS, Credential Guard, and HVCI enabled by default."
Microsoft will also display notification banners in the Intune Admin Center to alert IT administrators about the changes and allow them to override the new defaults using Intune device configuration policies or Group Policy Objects if their end-users require specific redirection capabilities.
Intune admin center banner about new redirection defaults (Microsoft)
"When new Cloud PCs are provisioned, the new defaults for disabling redirections will be applied," the company explained. "Subsequently, Intune will sync and implement the IT admin's desired settings from the existing policies, overriding the default configurations. This process assumes that the new Cloud PC is being added to an existing group that has been assigned to the relevant policy."
On Tuesday, Microsoft announced it would begin updating security defaults for all Microsoft 365 tenants in July to block access to SharePoint, OneDrive, and Office files via legacy authentication protocols.
... continue reading