By rssfeeds-admin 
Microsoft has announced significant security enhancements for Windows 365 Cloud PCs, introducing new default configurations aimed at reducing data exfiltration and malware risks.
Starting in the second half of 2025, newly provisioned and reprovisioned Cloud PCs will have clipboard, drive, USB, and printer redirections disabled by default.
These changes align with Microsoft’s Secure Future Initiative and apply to both Windows 365 and Azure Virtual Desktop environments.
Redirection Features Disabled by Default
The updated security posture specifically targets four redirection capabilities to minimize attack surfaces:
| Feature | Default Status | Impact | Exceptions |
|---|---|---|---|
| Clipboard | Disabled | Blocks text/file transfer between Cloud PC and local device | Overridable via Intune/GPO policies |
| Drive | Disabled | Prevents local Cloud file sharing |
Overridable via Intune/GPO policies |
| USB (low-level) | Disabled | Blocks mass storage devices | Keyboards, mice, webcams exempt (use high-level redirection) |
| Printer | Disabled | Disables local printing from Cloud PC | Overridable via Intune/GPO policies |
These defaults aim to prevent data theft and vectors while allowing essential peripherals to function normally.
IT administrators can override these settings using Microsoft Intune device configuration policies or Group Policy Objects (GPOs) for business-critical workflows.
Virtualization-Based Security Protections
Since May 2025, all new Windows 11-based Cloud PCs have three key security features enabled by default:
- Virtualization-Based Security (VBS): Creates hardware-isolated memory enclaves to protect critical processes.
- Credential Guard: Secures authentication tokens using VBS to prevent credential theft.
- Hypervisor-Protected Code Integrity (HVCI): Ensures only signed kernel-level code executes, blocking kernel exploits.
These hardware-enforced protections operate without requiring manual configuration and defend against advanced credential theft and kernel attacks.
Rollout begins gradually in late 2025, with notifications appearing in the Microsoft Intune Admin Center.
Administrators must reprovision existing Frontline Cloud PCs through provisioning policies to apply the new defaults.
The changes underscore Microsoft’s shift toward “secure by default” postures while maintaining flexibility for enterprise-specific needs.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Microsoft Implements New Security Defaults to Safeguard Windows 365 Cloud PCs appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.