Microsoft Announces New Security Defaults for Windows 365 Cloud PCs

Summary
1. Redirection controls disable clipboard, drive, USB, and printer access by default to prevent data exfiltration and malware injection.
2. Virtualization-based security enables VBS, Credential Guard, and HVCI on Windows 11 Cloud PCs to fortify against credential theft and kernel exploits.
3. Selective implementation requires IT admins to manually override settings via Intune or GPOs for necessary redirections, with USB mice/keyboards remaining unaffected.
4. Phased administrative deployment begins late 2025 via Intune policies, requiring manual override of defaults for necessary redirections. 

Microsoft unveiled significant security enhancements for Windows 365 Cloud PCs on June 18, 2025, introducing new default configurations that prioritize data protection and system integrity. 

The updates include disabling clipboard, drive, USB, and printer redirections by default, while enabling advanced security features like virtualization-based security (VBS), Credential Guard, and hypervisor-protected code integrity (HVCI) for Windows 11 gallery images.

Stricter Redirection Policies to Prevent Data Exfiltration

The most notable change involves disabling four key redirection types by default for all newly provisioned and reprovisioned Windows 365 Cloud PCs. 

Clipboard, drive, USB, and printer redirections will be automatically disabled to minimize the risks of data exfiltration and malware injection. 

This security-first approach aligns with Microsoft’s Secure Future Initiative (SFI), which emphasizes having security protections enabled and enforced by default.

The rollout will begin gradually in the second half of 2025, with IT administrators receiving advance notification through banners displayed in the Microsoft Intune Admin Center. 

These banners will appear on provisioning policy, individual device action, and bulk action pages, providing links to documentation for overriding the default settings through Intune device configuration policies or Group Policy Objects (GPOs).

IT administrators who need to restore redirection capabilities can manage settings through two primary methods: the Intune Settings Catalog or traditional GPO configurations. 

The system is designed to allow Intune to sync and implement administrator-defined settings after initial provisioning, overriding the restrictive defaults when policies are properly configured.

Advanced Virtualization Security Features 

Since May 2025, Microsoft has been automatically enabling three critical security technologies on new Windows 365 Cloud PCs running Windows 11 gallery images. 

Virtualization-based security (VBS) creates a secure memory enclave using hardware virtualization to protect critical system processes from advanced threats and malicious exploits.

Credential Guard leverages VBS infrastructure to secure authentication credentials, significantly reducing the risk of credential theft and lateral movement attacks within enterprise networks. 

Meanwhile, hypervisor-protected code integrity (HVCI), also known as memory integrity, ensures only verified code can execute at the kernel level, preventing malicious exploits from compromising system integrity.

The new security defaults will affect user workflows, particularly for organizations that previously relied on seamless file transfers and device connectivity between local machines and Cloud PCs. 

Microsoft recommends that IT teams communicate these changes proactively to end users and establish clear procedures for requesting redirection enablement when business requirements necessitate specific connectivity options.

For Windows 365 Frontline Cloud PCs operating in shared mode, the implementation varies depending on the reprovisioning method used. 

Direct reprovisioning from the device overview page will maintain existing policy configurations, while reprovisioning from the provisioning policy page will apply the new restrictive defaults. 

This distinction allows administrators to maintain granular control over security posture across different deployment scenarios.

Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free trial